Impact

Access to sensitive information available from classpath.

Patches

Patched version: 1.6.7 and 2.8.2

Commit 1.x: 34f5260

Commit 2.x: c81479d

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Latest 1.x version: 1.6.6

Arbitrary class path resource access 1

When sharing a File System directory as in:

assets("/static/**", Paths.get("static"));

The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader):
jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub

  private static Loader loader(final Path basedir, final ClassLoader classloader) {
    if (Files.exists(basedir)) {
      return name -> {
        Path path = basedir.resolve(name).normalize();
        if (Files.exists(path) && path.startsWith(basedir)) {
          try {
            return path.toUri().toURL();
          } catch (MalformedURLException x) {
            // shh
          }
        }
        return classloader.getResource(name);
      };
    }
    return classloader::getResource;
  }

If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files

If assets are configured for a certain extension we can still bypass it. eg:

assets("/static/**/*.js", Paths.get("static"));

We can send:

http://localhost:8080/static/io/yiss/App.class.js

Arbitrary class path resource access 2

This vulnerability also affects assets configured to access resources from the root of the class path. eg:

assets("/static/**");

In this case we can traverse static by sending:

http://localhost:8080/static/..%252fio/yiss/App.class

For more information

If you have any questions or comments about this advisory:

• Open an issue in jooby
• Email us at support@jooby.io