New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Directory traversal (unsafe unzip) vulnerability #1840
Comments
|
Thanks for the report! |
|
@itsacoderepo Do you recommend a fix such as what Sonarqube did ? SonarSource/sonarqube@08438a2#diff-6d8def68a00bf88a105528765f02fb95 or another method / library ? |
|
It is also reported under CVE-2018-19859 |
|
Is the CVE-2018-19859 vulnerability fixed in the 3.2-beta? The history above and the bug fix summary for 3.2-beta seems to indicate it has - but you indicate above that you've allocated some work to 3.5. As a result the CVE record (https://nvd.nist.gov/vuln/detail/CVE-2018-19859) indicates that it won't be fixed until 3.5. My work won't let me use the software until the NIST vulnerabilities are fixed |
|
@mdbaehre Yes this was fixed in 3.2-beta. |
|
I've submitted a request to the CVE database for CVE-2018-19859 to reflect this earlier fix to the vulnerability |
|
CVE database now updated to indicate that this has been fixed in 3.2-beta http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19859 |
|
Fantastic, thanks a lot Owen! |
Describe the bug
It is possible to create files outside the temporary folder by importing a zip file containing files with relative paths. This can be used to create scripts and configurations at locations where they can be picked up by applications, other scripts or executed during start up.
Additional information https://snyk.io/research/zip-slip-vulnerability
To Reproduce
Video (zipped video because GH extension restrictions) openrefine_zip_dir_traversal.zip
Steps to reproduce the behavior:
Create payload and start server on Linux
Steps on openrefine
If the file does exist, openrefine shows a stack trace (see below) on terminal
Current Results
No error nor warning.
Expected behavior
Warn the user about dangerous content in the zip and prevent the creation of the file.
Video
The video is inside a zip file because github filexetension restrictions.
Desktop (please complete the following information):
And
OpenRefine (please complete the following information):
Stack trace
The text was updated successfully, but these errors were encountered: