Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

possible cache escape #1566

Open
jukzi opened this issue Jul 31, 2023 · 9 comments
Open

possible cache escape #1566

jukzi opened this issue Jul 31, 2023 · 9 comments
Labels
bug Something isn't working

Comments

@jukzi
Copy link

jukzi commented Jul 31, 2023

https://github.com/eclipse/lemminx/blame/2b0fe29f52c111be3d5c1dccdf9d08340c63be31/org.eclipse.lemminx/src/main/java/org/eclipse/lemminx/uriresolver/CacheResourcesManager.java#L316
checking for ".." only does not prevent against more (tripple) dots on for example win95
https://cwe.mitre.org/data/definitions/32.html
@angelozerr
Copy link
Contributor

@jukzi have you a concrete sample where there could be have a problem?

@jukzi
Copy link
Author

jukzi commented Aug 1, 2023 

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root_element SYSTEM "http://anyhost/.../.../escapedthecachefolder">
<body>
</body>

image

@jukzi
Copy link
Author

jukzi commented Aug 1, 2023

Please also note, that somehow
<!DOCTYPE root_element SYSTEM "file://localhost:/secret">
tries to access c:/secret - why??
image

And it happens even if in eclipse IDE the option"download external resources like referenced DTD, XSD" is disabled!
image

@angelozerr
Copy link
Contributor

tries to access c:/secret - why??

The problem requires to be investigated. Do you think you could be interested to contribute with your issue?

And it happens even if in eclipse IDE the option"download external resources like referenced DTD, XSD" is disabled!

It should work since long time. After chaning the preference if you type a space in the XML, you should see:

image

@jukzi
Copy link
Author

jukzi commented Aug 1, 2023

It doesn't matter what the dialog box says when it still tries to read arbitrary files from filesystem.
I don't know how to debug lemmix. it's on another process then eclipse.exe.
For the triple dot thing it would be enough to just search for "../" instead of "/../"

@angelozerr angelozerr added the bug Something isn't working label Aug 2, 2023
@angelozerr
Copy link
Contributor

We are busy and I fear that we will have not time to do that for now.

I know that we have several tests about this check. If you feel to fix it in lemminx (+test) it should be really nice.

@angelozerr
Copy link
Contributor

It doesn't matter what the dialog box says when it still tries to read arbitrary files from filesystem.

Ho the problem comes from when you use localhost? If you try http, https, is it working?

@jukzi
Copy link
Author

jukzi commented Aug 4, 2023

I see the problem only for "file://localhost:". http/https or any host other then localhost does not show the effect.

@angelozerr
Copy link
Contributor

Ok I understand more, if it starts with file we consider that it not a remote file and we try to download something.

Any contribution are welcome!

If you are interested to work on this issue and you need some help, please ask me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@angelozerr @jukzi