Project import vulnerable to arbitrary file write #1927
Labels
Status: Needs More Information
Indicates issues that lack sufficient information for the project team to act upon.
vulnerability
Security vulnerability which needs fixing
Describe the bug
The import of a project is prone to a path traversal and thus an arbitrary file write.
To Reproduce
Steps to reproduce the behavior:
gzip payload.txt
,payload.txt.gz
is greatedImport Projects
payload.txt.gz
cat /tmp/ohno
should show the content of the file.Current Results
The first 100 bytes are from the file
payload.txt
are chosen as path, not the filename itself. An error is also shown but is not related to the path traversal.Expected behavior
Show an error, warn user, do not write file outside of the project folder.
Video
project_import_vuln.zip
Desktop (please complete the following information):
Not important
OpenRefine (please complete the following information):
Datasets
Payload file
https://github.com/OpenRefine/OpenRefine/files/2721399/payload.txt
Additional context
Please also update dependencies. The ant library is out of date and sloppy (compared to other) handling (tar) archive header.
If you have questions, you can reach me at "niko at-sign shiftleft.io" or https://twitter.com/0x4d5a.
The text was updated successfully, but these errors were encountered: