ImportingUtilities.allocateFile might not detect some malicious file names

[Marcono1234]

It appears com.google.refine.importing.ImportingUtilities.allocateFile(File, String) might not detect some malicious file names. However, I am not familiar with this project so hopefully someone more familiar with it can confirm or deny whether these cases are actually problematic.
Sorry in case these are false alerts.

Not checking file being same as directory

allocateFile does not check whether the resolved file name is equivalent to the directory. This can for example be the case when the file name

• is an empty string
• consists only of single periods or slashes: ., ///, ././., ...
• uses double periods: ignored/..

All these file names pass the startsWith sanitization check and only in case the directory already exists would be renamed in the loop. Otherwise they would be returned as they are and might cause issues.

Rename loop might allow directory traversal

When the result file name is already taken, allocateFile tries to construct an alternative file name. However, if an adversary knows the directory structure they can create a file name which, when transformed, allows directory traversal.
For example, let's assume the dir parameter argument is C:/User/Test/temp. An adversary could then use the file name "./../../Test/temp" (respectively "../../../User/Test/temp"):

// ImportingUtilities.allocateFile(File, String) code

File file = new File(dir, name); // file = "C:/User/Test/temp/./../../Test/temp"
if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
    throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
}

int dot = name.indexOf('.');
String prefix = dot < 0 ? name : name.substring(0, dot); // prefix = ""
String suffix = dot < 0 ? "" : name.substring(dot); // suffix = "./../../Test/temp"
int index = 2;
while (file.exists()) { // File already exists
    // file = "C:/User/Test/temp/-2./../../Test/temp"
    file = new File(dir, prefix + "-" + index++ + suffix);
}

The resulting file would then be C:/User/Test/temp/-2./../../Test/temp (normalized: C:/User/Test/Test/temp) which is outside the intended directory C:/User/Test/temp. Though the adversary is restricted to the parent directory names and cannot choose arbitrary directory names.

[thadguidry]

@Marcono1234 Thanks for reporting! Curious, did this come from a particular vulnerability scanner or IDE plugin that you use or ran it through with?

[Marcono1234]

I noticed @tfmorris' issue github/codeql#4035 and then had a closer look at the method.

[tfmorris]

Thanks for taking the time to investigate. The code in question is here

OpenRefine/main/src/com/google/refine/importing/ImportingUtilities.java

Lines 461 to 473 in 83ed9ff

	File file = new File(dir, name);
	// For CVE-2018-19859, issue #1840
	if (!file.toPath().normalize().startsWith(dir.toPath().normalize())) {
	throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
	}
	int dot = name.indexOf('.');
	String prefix = dot < 0 ? name : name.substring(0, dot);
	String suffix = dot < 0 ? "" : name.substring(dot);
	int index = 2;
	while (file.exists()) {
	file = new File(dir, prefix + "-" + index++ + suffix);
	}

All these file names pass the startsWith sanitization check and only in case the directory already exists would be renamed in the loop. Otherwise they would be returned as they are and might cause issues.

The directory always exists and is a freshly created empty temporary directory.

I don't think this is actually a vulnerability in practice, but I think we can close any theoretical possibility by adding a trailing file separator to the check, ie

if (!file.toPath().normalize().startsWith(dir.toPath().normalize() + File.separator)) {

if this change makes LGTM happy, I'll close my false positive bug report.

[Marcono1234]

Thanks! Though I think the change to using lastIndexOf instead of indexOf made the code vulnerable in a different way:
https://github.com/OpenRefine/OpenRefine/pull/3048/files#diff-35f5c7efc1cf05c3c940f483b5eaa85fL467-R467

However exploiting that would still require knowing the directory structure.

For example, let's assume the dir parameter argument is C:/User/Test/temp. An adversary could then provide a zip archive with two files:

• "dummy" (required so the second file is renamed because it already exists)
• "../../../User/Test/temp/dummy" (respectively "../.././Test/temp/dummy")

// ImportingUtilities.allocateFile(File, String) code

File file = new File(dir, name); // file = "C:/User/Test/temp/../../../User/Test/temp/dummy"
if (!file.toPath().normalize().startsWith(dir.toPath().normalize() + File.separator)) {
    throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
}

int dot = name.lastIndexOf('.');
String prefix = dot < 0 ? name : name.substring(0, dot); // prefix = "../../."
String suffix = dot < 0 ? "" : name.substring(dot); // suffix = "./User/Test/temp/dummy"
int index = 2;
while (file.exists()) { // Already exists due to first file
    // file = "C:/User/Test/temp/../../.-2./User/Test/temp/dummy"
    file = new File(dir, prefix + "-" + index++ + suffix);
}

The resulting file would then be C:/User/Test/temp/../../.-2./User/Test/temp/dummy (normalized: C:/User/.-2./User/Test/temp/dummy) which is outside the intended directory C:/User/Test/temp. Though the adversary is restricted to the parent directory names and cannot choose arbitrary directory names.

A fix for this might be to use the normalized path to construct the alternative name:
(have not tested this yet)

File file = new File(dir, name);
Path normalizedFile = file.toPath().normalize();
// For CVE-2018-19859, issue #1840
if (!normalizedFile.startsWith(dir.toPath().normalize() + File.separator)) {
    throw new IllegalArgumentException("Zip archives with files escaping their root directory are not allowed.");
}

Path normalizedParent = normalizedFile.getParent();
String fileName = normalizedFile.getFileName().toString();
int dot = fileName.lastIndexOf('.');
String prefix = dot < 0 ? fileName : fileName.substring(0, dot);
String suffix = dot < 0 ? "" : fileName.substring(dot);
int index = 2;
while (file.exists()) {
    file = normalizedParent.resolve(prefix + "-" + index++ + suffix).toFile();
}

This also fixes the method behaving incorrectly for file names without extension in directories whose name contains a period, e.g. logs/01.01.2020/latest-log (would have been previously renamed to logs/01.01-2.2020/latest-log instead of logs/01.01.2020/latest-log-2).

[Marcono1234]

@tfmorris what do you think about the code change proposed above?

[tfmorris]

@Marcono1234 Sorry, I missed your follow up note. I'll have another look.