[H10zCpAQ] Fix CWE-73: Added check to prevent reading from outside me…

…trics directory (#3245)
neo4j-contrib · Jan 30, 2023 · 7708985 · 7708985
1 parent fde69c7
commit 7708985
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/apoc-core b/apoc-core
diff --git a/extended/src/main/java/apoc/metrics/Metrics.java b/extended/src/main/java/apoc/metrics/Metrics.java
@@ -14,6 +14,7 @@
 
 import java.io.File;
 import java.io.FilenameFilter;
+import java.io.IOException;
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.Map;
@@ -29,6 +30,9 @@
  */
 @Extended
 public class Metrics {
+    public static final String OUTSIDE_DIR_ERR_MSG = "The path you are trying to access is outside the metrics directory and " +
+            "this procedure is only permitted to access files in it. " +
+            "This may occur if the path in question is a symlink or other link.";
     @Context
     public Log log;
 
@@ -171,7 +175,15 @@ public Stream<GenericMetric> loadCsvForMetric(String metricName, Map<String,Obje
                     "https://neo4j.com/docs/operations-manual/current/monitoring/metrics/expose/#metrics-csv");
         }
 
-        String url = new File(metricsDir, metricName + ".csv").getAbsolutePath();
+        final File file = new File(metricsDir, metricName + ".csv");
+        try {
+            if (!file.getCanonicalPath().startsWith(metricsDir.getAbsolutePath())) {
+                throw new RuntimeException(OUTSIDE_DIR_ERR_MSG);
+            }
+        } catch (IOException ioe) {
+            throw new RuntimeException("Unable to resolve basic metric file canonical path", ioe);
+        }
+        String url = file.getAbsolutePath();
         CountingReader reader = null;
         try {
             reader = FileUtils.getStreamConnection(SupportedProtocols.file, url, null, null)

diff --git a/extended/src/test/java/apoc/metrics/MetricsTest.java b/extended/src/test/java/apoc/metrics/MetricsTest.java
@@ -3,6 +3,7 @@
 import apoc.util.Neo4jContainerExtension;
 import apoc.util.TestContainerUtil.ApocPackage;
 import org.junit.AfterClass;
+import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Ignore;
 import org.junit.Test;
@@ -16,9 +17,11 @@
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
+import static apoc.metrics.Metrics.OUTSIDE_DIR_ERR_MSG;
 import static apoc.util.FileUtils.NEO4J_DIRECTORY_CONFIGURATION_SETTING_NAMES;
 import static apoc.util.TestContainerUtil.*;
 import static apoc.util.Util.map;
+import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import static org.neo4j.test.assertion.Assert.assertEventually;
 
@@ -48,7 +51,18 @@ public static void beforeAll() throws InterruptedException {
     public static void afterAll() {
         neo4jContainer.close();
     }
+
 
+    @Test
+    public void shouldNotGetFileOutsideMetricsDir() {
+        try {
+            testCall(session, "CALL apoc.metrics.get('../external')",
+                    (r) -> Assert.fail("Should fail because the path is outside the dir "));
+        } catch (RuntimeException e) {
+            assertEquals("Failed to invoke procedure `apoc.metrics.get`: Caused by: java.lang.RuntimeException: " + OUTSIDE_DIR_ERR_MSG, e.getMessage());
+        }
+    }
+
     // TODO: Investigate broken test. It hangs for more than 30 seconds for no reason.
     @Test
     @Ignore
+4 −4		build.gradle
+30 −0		common/src/main/antlr/apoc/custom/Signature.g4
+8 −0		common/src/main/java/apoc/ApocConfig.java
+0 −1		common/src/main/java/apoc/ApocExtensionFactory.java
+16 −0		common/src/main/java/apoc/Description.java
+0 −1		common/src/main/java/apoc/RegisterComponentFactory.java
+7 −1		common/src/main/java/apoc/SystemLabels.java
+15 −0		common/src/main/java/apoc/SystemPropertyKeys.java
+4 −0		common/src/main/java/apoc/export/cypher/FileManagerFactory.java
+3 −0		common/src/main/java/apoc/load/LoadJsonUtils.java
+3 −0		common/src/main/java/apoc/load/Mapping.java
+66 −0		common/src/main/java/apoc/load/util/JdbcUtil.java
+130 −0		common/src/main/java/apoc/load/util/LoadCsvConfig.java
+85 −0		common/src/main/java/apoc/load/util/LoadJdbcConfig.java
+15 −0		common/src/main/java/apoc/result/BooleanResult.java
+20 −0		common/src/main/java/apoc/result/IdsResult.java
+42 −0		common/src/main/java/apoc/result/KernelInfoResult.java
+15 −0		common/src/main/java/apoc/result/KeyValueResult.java
+27 −0		common/src/main/java/apoc/result/NodeValueErrorMapResult.java
+27 −0		common/src/main/java/apoc/result/NodeWithMapResult.java
+37 −0		common/src/main/java/apoc/result/StoreInfoResult.java
+15 −0		common/src/main/java/apoc/result/StringResult.java
+33 −0		common/src/main/java/apoc/result/TransactionInfoResult.java
+0 −1		common/src/main/java/apoc/result/VirtualNode.java
+1 −1		common/src/main/java/apoc/result/VirtualPath.java
+0 −1		common/src/main/java/apoc/result/VirtualRelationship.java
+53 −0		common/src/main/java/apoc/util/FileUtils.java
+4 −0		common/src/main/java/apoc/util/JsonUtil.java
+43 −0		common/src/main/java/apoc/util/UrlResolver.java
+46 −0		common/src/main/java/apoc/util/Util.java
+50 −0		common/src/main/java/apoc/uuid/UuidConfig.java
+1 −2		core/src/main/java/apoc/text/Strings.java
+10 −9		core/src/main/java/apoc/trigger/TriggerHandlerNewProcedures.java
+1 −2		core/src/main/java/apoc/util/Utils.java
+0 −65		core/src/test/java/apoc/trigger/TriggerNewProceduresTest.java
+0 −17,166		log.txt
+3 −3		readme.adoc
+1 −1		test-utils/src/main/java/apoc/trigger/TriggerTestUtil.java
+32 −0		test-utils/src/main/java/apoc/util/GoogleCloudStorageContainerExtension.java
+23 −0		test-utils/src/main/java/apoc/util/MySQLContainerExtension.java
+0 −1		test-utils/src/main/java/apoc/util/Neo4jContainerExtension.java
+13 −1		test-utils/src/main/java/apoc/util/TestContainerUtil.java
+14 −1		test-utils/src/main/java/apoc/util/TestUtil.java
+7 −20		test-utils/src/main/java/apoc/util/s3/S3TestUtil.java
+5 −16		test-utils/src/main/java/org/neo4j/test/rule/DbmsRule.java