Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Security Vulnerabilities found #2406

Open
junorouse opened this issue Jul 30, 2019 · 1 comment

Comments

@junorouse
Copy link

commented Jul 30, 2019

Describe the bug

IDOR (Insecure Direct Object Reference)

@RequestMapping(path = "/workbooks/{workbookId}/comments/{commentId}",
method = { RequestMethod.PUT, RequestMethod.PATCH })
public @ResponseBody
ResponseEntity<?> saveComments(@PathVariable("workbookId") String workbookId,
@PathVariable("commentId") Long commentId,
@RequestBody Comment comment) {
Comment persistComment = validateComment(workbookId, commentId);
persistComment.setContents(comment.getContents());
commentRepository.saveAndFlush(comment);
return ResponseEntity.noContent().build();

image

image

image

권한 없는 워크북의 덧글이 수정 가능합니다. 해당 안티패턴이 사용된 곳이 많으니 패치 권고.

Arbitrary File Read + Path traversal

@RequestMapping(path = "/queryeditors/{id}/query/download/csv", method = RequestMethod.POST,
consumes = MediaType.APPLICATION_JSON_VALUE)
@ResponseBody
public void downloadCSVJson(@PathVariable("id") String id,
@RequestBody Map<String, Object> requestBody,
HttpServletResponse response) throws IOException {
String csvFilePath = (String) requestBody.get("csvFilePath");
String fileName = (String) requestBody.get("fileName");
if(StringUtils.isEmpty(fileName)){
fileName = "noname";
}
String csvBaseDir = workbenchProperties.getTempCSVPath();
if(!csvBaseDir.endsWith(File.separator)){
csvBaseDir = csvBaseDir + File.separator;
}
String filePath = csvBaseDir + csvFilePath;
HttpUtils.downloadCSVFile(response, fileName, filePath, "text/csv; charset=utf-8");
}
}

image

image

서버에 존재하는 임의 파일을 유출할 수 있습니다. (conf / env) realPath를 구해 configuration에 없는 폴더 접근시 차단하는 방식으로 패치 권고.

SSRF

@RequestMapping(path = "/connectors/status/{hostname}/{port}", method = RequestMethod.GET)
public @ResponseBody
ResponseEntity<?> checkStatus(@PathVariable("hostname") String hostname,
@PathVariable("port") String port) {
try {
UriComponents getUrl = UriComponentsBuilder
.fromHttpUrl(makeHttpUrl(hostname, port))
.build();
httpRepository.call(getUrl.toUriString(), HttpMethod.GET, null, String.class);
return ResponseEntity.ok().build();
} catch (RuntimeException re) {
return ResponseEntity.status(HttpStatus.SERVICE_UNAVAILABLE).build();
}
}
/**
*
* @param hostname
* @param port
* @return
*/
private String makeHttpUrl(String hostname, String port) {
StringBuilder builder = new StringBuilder();
builder.append("http://");
builder.append(hostname);
if(port != null) {
builder.append(":").append(port);
}
return builder.toString();
}
}

image

image

image

임의 HTTP 요청을 보낼 수 있게됩니다. 인터널 서버에 물려있는 devops 서비스를 공격할 수 있음.

default user/pass

호스팅되고 있는 데모 사이트에 기본 유저로 로그인이 가능합니다. -- https://discovery.metatron.app/ (polaris / polaris)

Ref

@minhyun2

This comment has been minimized.

Copy link
Contributor

commented Aug 12, 2019

보안 취약점 관련하여 리포트해주셔서 감사합니다.
위에 제기해주신 각각의 이슈들은 내부적으로 관리하여 보완하도록 하겠습니다.

Thank you for your report regarding security vulnerabilities.
Each issue raised above will be managed internally and complemented.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.