I would like to fix security issue in code for saving file. Currently code contains security check which validates relative paths. But there is no validation for absolute paths.
How to use this bug?
Send file setting up absolute path in request.
Assuming that application is started in the following way:
I see two possibilities to override /libs/uploading-files-0.0.1-SNAPSHOT.jar file:
First: Create file with any name e.g. 'hack.jar' and send this file overriding filename with absolute path: '/libs/uploading-files-0.0.1-SNAPSHOT.jar'.
Here we use another bug. Code use StringUtils.cleanPath for filename normalization, which will change '\' to '/'. Note that Unix file systems (e.g. ext4) allows backslash '\' in file names.
I would like to fix security issue in code for saving file. Currently code contains security check which validates relative paths. But there is no validation for absolute paths.
How to use this bug? Send file setting up absolute path in request.
Assuming that application is started in the following way:
docker run -it --rm -v $(pwd)/build/libs:/libs -p8080:8080 openjdk:8-slim /usr/local/openjdk-8/bin/java -jar /libs/uploading-files-0.0.1-SNAPSHOT.jarI see two possibilities to override /libs/uploading-files-0.0.1-SNAPSHOT.jar file:
First: Create file with any name e.g. 'hack.jar' and send this file overriding filename with absolute path: '/libs/uploading-files-0.0.1-SNAPSHOT.jar'.
curl 'http://localhost:8080/' -F "file=@hack.jar;filename=/libs/uploading-files-0.0.1-SNAPSHOT.jar;"Second: Create file with name '\libs\uploading-files-0.0.1-SNAPSHOT.jar' and send it to the server.
curl 'http://localhost:8080/' -F "file=@\\libs\\uploading-files-0.0.1-SNAPSHOT.jar;"Here we use another bug. Code use StringUtils.cleanPath for filename normalization, which will change '\' to '/'. Note that Unix file systems (e.g. ext4) allows backslash '\' in file names.