skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
April 1, 2022

GHSL-2022-007: Partial path traversal in Apache Felix Atomos

Jaroslav Lobacevski

Coordinated Disclosure Timeline

Summary

Partial path traversal allows to break out of expected folder.

Product

Apache Felix Atomos

Tested Version

Latest revision 987492ecde0493e3e048ea30974e657b11d875ad on Linux

Details

Issue: Partial path traversal in ConnectContentFile.java (GHSL-2022-007)

getFile in ConnectContentFile.java validates [1] if the file path starts with the expected root.

private Optional<File> getFile(String path)
{
    File file = new File(root, path);
    if (!file.exists())
    {
        return Optional.empty();
    }
    if (path.contains(POINTER_UPPER_DIRECTORY))
    {
        try
        {
            if (!file.getCanonicalPath().startsWith(root.getCanonicalPath())) //<----------- [1]
            {
                return Optional.empty();
            }
        }
        catch (IOException e)
        {
            return Optional.empty();
        }
    }
    return Optional.of(file);
}

If the result of root.getCanonicalPath() is not slash terminated it allows for partial path traversal.

Consider "/usr/outnot".startsWith("/usr/out"). The check is bypassed although it is not the out directory. The terminating slash may be removed in various places. On Linux println(new File("/var/")) returns /var, but println(new File("/var", "/")) - /var/, however println(new File("/var", "/").getCanonicalPath()) - /var.

Impact

This issue allows to break out of expected folder.

Credit

This issue was discovered and reported by GHSL team member @JarLob (Jaroslav Lobačevski).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-007 in any communication regarding this issue.