GHSA-cjx7-399x-p2rj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-cjx7-399x-p2rj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/07/GHSA-cjx7-399x-p2rj/GHSA-cjx7-399x-p2rj.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-cjx7-399x-p2rj
- Aliases
- Published
- 2021-07-26T21:15:08Z
- Modified
- 2023-11-08T04:05:59.784823Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core
- Details
-
With a basic configuration like
router: static-resources: assets: enabled: true mapping: /.assets/public/** paths: file:/home/lstrmiska/test/it is possible to access any file from a filesystem, using "/../../" in URL, as Micronaut does not restrict file access to configured paths.
Repro Steps - create a file test.txt in /home/lstrmiska - start micronaut - execute command
curl -v --path-as-is "http://localhost:8080/.assets/public/../test.txt"Impact
Micronaut can potentially leak sensitive information.
See https://cwe.mitre.org/data/definitions/22.html
Patches
diff --git a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java index 2f5a91403..19d3b7f05 100644 --- a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java +++ b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java @@ -69,6 +69,9 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader @Override public Optional<InputStream> getResourceAsStream(String path) { Path filePath = getFilePath(normalize(path)); + if (pathOutsideBase(filePath)) { + return Optional.empty(); + } try { return Optional.of(Files.newInputStream(filePath)); } catch (IOException e) { @@ -79,7 +82,7 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader @Override public Optional<URL> getResource(String path) { Path filePath = getFilePath(normalize(path)); - if (Files.exists(filePath) && Files.isReadable(filePath) && !Files.isDirectory(filePath)) { + if (!pathOutsideBase(filePath) && Files.exists(filePath) && Files.isReadable(filePath) && !Files.isDirectory(filePath)) { try { URL url = filePath.toUri().toURL(); return Optional.of(url); @@ -117,4 +120,15 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader private Path getFilePath(String path) { return baseDirPath.map(dir -> dir.resolve(path)).orElseGet(() -> Paths.get(path)); } + + private boolean pathOutsideBase(Path path) { + if (baseDirPath.isPresent()) { + Path baseDir = baseDirPath.get(); + if (path.isAbsolute() == baseDir.isAbsolute()) { + Path relativePath = baseDir.relativize(path); + return relativePath.startsWith(".."); + } + } + return false; + } } --Workarounds
- do not use ** in mapping, use only * which exposes only flat structure of a directory not allowing traversal
- run micronaut in chroot (linux only)
References
See https://cwe.mitre.org/data/definitions/22.html
For more information
If you have any questions or comments about this advisory: * Open an issue in Github * Email us at info@micronaut.io
- Database specific
{ "nvd_published_at": "2021-07-16T19:15:00Z", "github_reviewed_at": "2021-07-22T20:25:11Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-22" ] }- References
Affected packages
Maven / io.micronaut:micronaut-http-server-netty
Package
- Name
- io.micronaut:micronaut-http-server-netty
- View open source insights on deps.dev
- Purl
- pkg:maven/io.micronaut/micronaut-http-server-netty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.5.9
Affected versions
1.*
1.0.0.RC3
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.1.0.M1
1.1.0.M2
1.1.0.RC1
1.1.0.RC2
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.2.0.RC1
1.2.0.RC2
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.3.0.M1
1.3.0.M2
1.3.0.RC1
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
2.*
2.0.0.M1
2.0.0.M2
2.0.0.M3
2.0.0.RC1
2.0.0.RC2
2.0.0
2.0.1
2.0.2
2.0.3
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.2.0
2.2.1
2.2.2
2.2.3
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8