gavin2lee
commented
2 years ago add upload filename validation to fix this issue
Closed QiAnXinCodeSafe closed 2 years ago
gavin2lee
commented
2 years ago add upload filename validation to fix this issue
https://github.com/WeBankPartners/wecube-platform/blob/15b004e0295c9466ac11c717bee27165fc5b13a9/platform-core/src/main/java/com/webank/wecube/platform/core/controller/plugin/PluginPackageController.java#L76-L84
https://github.com/WeBankPartners/wecube-platform/blob/15b004e0295c9466ac11c717bee27165fc5b13a9/platform-core/src/main/java/com/webank/wecube/platform/core/service/plugin/PluginArtifactsMgmtService.java#L361-L380
https://github.com/WeBankPartners/wecube-platform/blob/15b004e0295c9466ac11c717bee27165fc5b13a9/platform-core/src/main/java/com/webank/wecube/platform/core/service/plugin/PluginArtifactsMgmtService.java#L476-L488
We found 'file' may be contaminated on line 77 of PluginPackageController.java.Use of unfiltered data in selection of requested application file path could lead to sensitive data disclosure and potential theft of proprietary business logic.It will affect on line 487 of PluginArtifactsMgmtService.java