Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files.
The problem lies in the way how the expanded javadoc files are served. The GET /javadoc/{repository}/<gav>/raw/<resource>
route uses the <resource>
path parameter to find the file in the javadocUnpackPath
directory and returns it's content to the user.
fun findRawJavadocResource(request: JavadocRawRequest): Result<JavadocRawResponse, ErrorResponse> =
with (request) {
mavenFacade.canAccessResource(accessToken, repository, gav)
.flatMap { javadocContainerService.loadContainer(accessToken, repository, gav) }
.filter({ Files.exists(it.javadocUnpackPath.resolve(resource.toString())) }, { notFound("Resource $resource not found") })
.map {
JavadocRawResponse(
contentType = supportedExtensions[resource.getExtension()] ?: ContentType.APPLICATION_OCTET_STREAM,
content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toString()))
)
}
}
In this case, the <resource>
path parameter can contain path traversal characters such as /../../
. Since the path is concatenated with the main directory, it opens the possibility to read files outside the javadocUnpackPath
directory.
This issue may lead to Arbitrary File Read on the server. A potential attacker can read some sensitive file, such as reposilite.db
, that contains the sqlite database used by Reposilite. This database contains the sensitive information used by Reposilite, including passwords and hashes of issued tokens. Also, the configuration.cdn
file can be read, which contains other sensitive properties.
/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar
archive that is suitable for our attack./repositories/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar
file into the /javadocs/releases/javadoc/1.0.0/.cache/unpack
folder. Then, it tries to read the ../../../../../../reposilite.db
file from this folder, which triggers the path traversal attack.Normalize (remove all occurrences of /../
) the <resource>
path parameter before using it when reading the file. For example:
content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toPath()))
Changing resource.toString()
to resource.toPath()
is enough here as the com.reposilite.storage.api.Location#toPath
method normalizes the string internally.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-11-04T23:23:08Z" }