AbstractUnArchiver extractFile has Partial Path Traversal Vulnerability #260
Labels
Comments
plamentotev
added a commit
that referenced
this issue
Mar 19, 2023
AbstractUnArchiver#extractFile uses String#startsWith to verify whether the target file is located inside the destination directory. This check gives false negative for cases such as /opt/directory and /opt/dir. /opt/directory starts with /opt/dir although it is not inside it. This is a limited path traversal vulnerability. Fixes: #260
|
Well spotted @Fewword. Should we have some kind of security advisory or something similar opened for this? |
plamentotev
added a commit
that referenced
this issue
Mar 20, 2023
AbstractUnArchiver#extractFile uses String#startsWith to verify whether the target file is located inside the destination directory. This check gives false negative for cases such as /opt/directory and /opt/dir. /opt/directory starts with /opt/dir although it is not inside it. This is a limited path traversal vulnerability. Fixes: #260
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The patch file for CVE-2018-1002200 still has a vulnerability, which is a partial path traversal vulnerability.
In commit f8f4233, the extractFile function use if ( !canonicalDestPath.startsWith( canonicalDirPath ) )to check for path traversal vulnerabilities. But it still allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith("/usr/out") will allow an attacker to access a directory with a name like /usr/outnot.
Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.
For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())
The text was updated successfully, but these errors were encountered: