search

google-code-export / wro4j

Automatically exported from code.google.com/p/wro4j
1 stars 1 forks source link

Path Manipulation possible #917

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Below code uses uri which could be external provided, without checking. This 
makes wro4j vulnerable for Path Manipulation (See: 
https://www.owasp.org/index.php/Path_Manipulation)

Code:
ro.isdc.wro.model.resource.locator.StandaloneServletContextUriLocator.locateStre
amWithContextFolder(String, String)

  /**
   * TODO this is duplicated code (from super) -> find a way to reuse it.
   */
  private InputStream locateStreamWithContextFolder(final String uri, final String contextFolder)
      throws IOException, FileNotFoundException {
    if (getWildcardStreamLocator().hasWildcard(uri)) {
      final String fullPath = WroUtil.getFullPath(uri);
      final String realPath = contextFolder + fullPath;
      return getWildcardStreamLocator().locateStream(uri, new File(realPath));
    }

    final String uriWithoutPrefix = uri.replaceFirst(PREFIX, "");
    final File file = new File(contextFolder, uriWithoutPrefix);
    LOG.debug("Opening file: " + file.getPath());
    return new FileInputStream(file);
  }

Original issue reported on code.google.com by dkwak...@gmail.com on 21 Jan 2015 at 12:24

GoogleCodeExporter commented 9 years ago 
Similair kind of issue for 
ro.isdc.wro.model.resource.locator.support.DispatcherStreamLocator.locateExterna
l(HttpServletRequest, String) location argument.

Original comment by dkwak...@gmail.com on 21 Jan 2015 at 12:29

GoogleCodeExporter commented 9 years ago 
I really appreciate that you look into this kind of details. If you have any 
patches available, please share them via pull requests on the github project 
page: 

https://github.com/alexo/wro4j

Original comment by alex.obj...@gmail.com on 21 Jan 2015 at 12:31

GoogleCodeExporter commented 9 years ago 
One note regarding path manipulation:

since the path are provided by the model (which is in control of the 
application developer), there is no way it could be injected externally by a 
hacker.... or am I missing something?

Original comment by alex.obj...@gmail.com on 21 Jan 2015 at 12:32

GoogleCodeExporter commented 9 years ago 
Yes, if you are sure they come from the model then it is safe. I tried to 
follow the injection paths, but this takes a lot of time. From security point 
of view I would prefer to add a check here (if there is a way to inject at 
least you are safe).
How to implement this check can be found here: 
https://www.securecoding.cert.org/confluence/display/java/FIO16-J.+Canonicalize+
path+names+before+validating+them

Original comment by dkwak...@gmail.com on 21 Jan 2015 at 1:35