Impact
Access to sensitive information available from classpath.
Patches
Patched version: 1.6.7 and 2.8.2
Commit 1.x: jooby-project/jooby@34f5260
Commit 2.x: jooby-project/jooby@c81479d
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Latest 1.x version: 1.6.6
Arbitrary class path resource access 1
When sharing a File System directory as in:
assets("/static/**", Paths.get("static"));The class path is also searched for the file (org.jooby.handlers.AssetHandler.loader):
jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub
private static Loader loader(final Path basedir, final ClassLoader classloader) {
if (Files.exists(basedir)) {
return name -> {
Path path = basedir.resolve(name).normalize();
if (Files.exists(path) && path.startsWith(basedir)) {
try {
return path.toUri().toURL();
} catch (MalformedURLException x) {
// shh
}
}
return classloader.getResource(name);
};
}
return classloader::getResource;
}If we send /static/WEB-INF/web.xml it will fail to load it from the file system but will go into classloader.getResource(name) where name equals /WEB-INF/web.xml so will succeed and return the requested file. This way we can get any configuration file or even the application class files
If assets are configured for a certain extension we can still bypass it. eg:
assets("/static/**/*.js", Paths.get("static"));We can send:
http://localhost:8080/static/io/yiss/App.class.js
Arbitrary class path resource access 2
This vulnerability also affects assets configured to access resources from the root of the class path. eg:
In this case we can traverse static by sending:
http://localhost:8080/static/..%252fio/yiss/App.class
For more information
If you have any questions or comments about this advisory:
References
Impact
Access to sensitive information available from classpath.
Patches
Patched version: 1.6.7 and 2.8.2
Commit 1.x: jooby-project/jooby@34f5260
Commit 2.x: jooby-project/jooby@c81479d
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Latest 1.x version: 1.6.6
Arbitrary class path resource access 1
When sharing a File System directory as in:
The class path is also searched for the file (
org.jooby.handlers.AssetHandler.loader):jooby/AssetHandler.java at 1.x · jooby-project/jooby · GitHub
If we send
/static/WEB-INF/web.xmlit will fail to load it from the file system but will go intoclassloader.getResource(name)where name equals/WEB-INF/web.xmlso will succeed and return the requested file. This way we can get any configuration file or even the application class filesIf assets are configured for a certain extension we can still bypass it. eg:
We can send:
Arbitrary class path resource access 2
This vulnerability also affects assets configured to access resources from the root of the class path. eg:
In this case we can traverse
staticby sending:For more information
If you have any questions or comments about this advisory:
References