search

javaee / jersey

This is no longer the active Jersey repository. Please see the README.md
http://jersey.github.io
Other
2.86k stars 2.35k forks source link

Method resolve() of AbstractTemplateProcessor is vulnerable to path traversal #3490

Closed glassfishrobot closed 7 years ago

glassfishrobot commented 7 years ago

Method resolve() in org.glassfish.jersey.server.mvc.spi.AbstractTemplateProcessor which resolves a template name to a template reference is vulnerable to path traversal when Viewable is used to load template based on user's data. This issue leads to Server-Side Template Injection attack (SSTI). On JRE before 7u40 it also leads to file disclosure attacks.

At the beginning method resolve() tries to load template using servletContext.getResourceAsStream(). If it fails it tries to load template using classloader - getClass().getClassLoader().getResourceAsStream. If it fails it loads template using FileInputStream - new InputStreamReader(new FileInputStream(template), encoding). Where template is concatenation of jersey.config.server.mvc.templateBasePath.freemarker parameter and value passed to org.glassfish.jersey.server.mvc.Viewable. Method resolve() doesn't check presence of../ (traversal sequences) in template parameter.

Lets suppose we have resource method which uses org.glassfish.jersey.server.mvc.Viewable to dynamically select freemarker template based on template URL parameter.

@GET
@Path("mvc-vulnerable")
@Produces(MediaType.TEXT_HTML)
public Viewable getHello(@QueryParam("template") String template) {
    final Map<String, Object> map = new HashMap<String, Object>();
    map.put("user", "jDoe");
    final List<String> list = new ArrayList<String>();
    list.add("item1");
    list.add("item2");
    list.add("item3");
    map.put("items", list);

    return new Viewable(template, map);
}

In web.xml we specifiy value /opt/templates for jersey.config.server.mvc.templateBasePath.freemarker.

Low privileged attacker can load malicious template to /tmp and load that template by specifying value /../../../../tmp/hack.ftl in template URL patameter. As the result attacker he can run arbitrary code with privileges of JAX-RS application.

Affected Versions

[2.25]

glassfishrobot commented 7 years ago

Reported by 0ang3el

glassfishrobot commented 7 years ago

@pavelbucek said: Closing as invalid.

There could be valid usecase for allowing "../../" in the template name and the documentation of MvcFeature.TEMPLATE_BASE_PATH doesn't say anything about not allowing access of any other directory.

All user input needs to be validated, so in this case, its the security issue of the code you've presented.

As always - feel free add comments to this issue, it can always be reopened.

glassfishrobot commented 7 years ago

0ang3el said: I think you should place warning in documentation regarding using Viewable with user's input.

glassfishrobot commented 7 years ago

This issue was imported from java.net JIRA JERSEY-3218

glassfishrobot commented 7 years ago

Marked as invalid on Friday, January 6th 2017, 7:55:19 am