Project import vulnerable to arbitrary file write #1927
Labels
vulnerability
Security vulnerability which needs fixing
waiting on submitter feedback
We are waiting on feedback from submitter
Describe the bug
The import of a project is prone to a path traversal and thus an arbitrary file write.
To Reproduce
Steps to reproduce the behavior:
gzip payload.txt,payload.txt.gzis greatedImport Projectspayload.txt.gzcat /tmp/ohnoshould show the content of the file.Current Results
The first 100 bytes are from the file
payload.txtare chosen as path, not the filename itself. An error is also shown but is not related to the path traversal.Expected behavior
Show an error, warn user, do not write file outside of the project folder.
Video
project_import_vuln.zip
Desktop (please complete the following information):
Not important
OpenRefine (please complete the following information):
Datasets
Payload file
https://github.com/OpenRefine/OpenRefine/files/2721399/payload.txt
Additional context
Please also update dependencies. The ant library is out of date and sloppy (compared to other) handling (tar) archive header.
If you have questions, you can reach me at "niko at-sign shiftleft.io" or https://twitter.com/0x4d5a.
The text was updated successfully, but these errors were encountered: