search

SasanLabs / VulnerableApp

OWASP VulnerableApp Project: For Security Enthusiasts by Security Enthusiasts.
https://sasanlabs.github.io/VulnerableApp/
Apache License 2.0
287 stars 383 forks source link

File retrieval endpoint security validation #344

Open preetkaran20 opened 2 years ago

preetkaran20 commented 2 years ago

Describe the bug As we are reading a file in https://github.com/SasanLabs/VulnerableApp/blob/master/src/main/java/org/sasanlabs/service/vulnerability/fileupload/PreflightController.java class which we have uploaded at Level_8 of unrestricted file upload vulnerability (as shown below) and it seems like that code can even read the files like /etc/passwd.

This task is to validate the code and check if it is vulnerable. If it is vulnerable, we need to secure that endpoint. Similarly, for other levels in the same vulnerability, we need to validate the same thing.

image

To Reproduce Upload a file in Level_8, go to the location which is responded by the upload event, try sending payloads like /etc/passwd or ../etc/passwd and check if it shows content of etc/passwd.

Expected behavior the relative path should not show the content of the file system.

tkomlodi commented 10 months ago

If I understand this ticket correctly, its purpose is to make sure that PreflightController.java doesn't have a path traversal vulnerability.

It does not appear to have one.

The endpoint path is defined with @RequestMapping("contentDispositionUpload/{fileName}") with file name mapped by @PathVariable("fileName") In such a case, Spring will not call this controller method if there are any slashes after "contentDispositionUpload/". Such paths would have to be mapped with "**" or some other way to be picked up by this controller method. This is also true even if the slashes are escaped such as %2F.

Double dots ".." can be included in the file name, but just by themselves they don't allow traversing outside of the directory.

I added logging to the controller method to print the file name when it gets called. I tried various combinations with slashes in it, but could not trigger the method with any of them.

After uploading a "test.html" file at LEVEL_8, I ran the below tests: wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/test.html' downloads file successfully

wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/../test.html' 404 response and controller method doesn't get called

wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/..test.html' method gets called but returns 500: java.io.FileNotFoundException: /tmp/205522663096713176/..test.html (No such file or directory)

wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/tmp/test.html' /tmp/test.html file exists on system, but 404 is returned wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/tmp%2Ftest.html' returns 400 and method doesn't get called

wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/..\test.html' wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/\tmp\test.html' wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload/\tmp\test.html' wget 'http://localhost:9090/VulnerableApp/contentDispositionUpload\test.html' these all return 400 and method is not called

@preetkaran20, let me know if I misunderstood the ticket or you think there are gaps in the logic. Thanks!