Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG]Arbitrary File Read Vulnerability in v1.15.4 #8652

Closed
rainmanzzz opened this issue Dec 20, 2021 · 1 comment
Closed

[BUG]Arbitrary File Read Vulnerability in v1.15.4 #8652

rainmanzzz opened this issue Dec 20, 2021 · 1 comment
Assignees
Labels
状态:待反馈 等待用户反馈详细复现步骤或者文件日志等信息
Milestone

Comments

@rainmanzzz
Copy link

Version

v1.15.4

Description

Authenticated users can read arbitrary file on the server with the file download funtion.

API: /api/automation/file/download

Vulnerable source code:
ApiAutomationService.java

    public byte[] loadFileAsBytes(FileOperationRequest fileOperationRequest) {
        File file = new File(FileUtils.BODY_FILE_DIR + "/" + fileOperationRequest.getId() + "_" + fileOperationRequest.getName());
        try (FileInputStream fis = new FileInputStream(file);
             ByteArrayOutputStream bos = new ByteArrayOutputStream(1000);) {
            byte[] b = new byte[1000];
            int n;
            while ((n = fis.read(b)) != -1) {
                bos.write(b, 0, n);
            }
            return bos.toByteArray();
        } catch (Exception ex) {
            LogUtil.error(ex);
        }
        return null;
    }

To Reproduce

I have tested this vulnerability on the demo website https://demo.metersphere.com/.
Use the payload below and we successfully read the /etc/passwd
image

@github-actions github-actions bot added the 状态:待处理 已分配给相关处理人等待处理人处理并更新状态 label Dec 20, 2021
@youliyuan-fit2cloud
Copy link

Thanks very much for your discovery,we will fixed it within next version.

@github-actions github-actions bot added 状态:待反馈 等待用户反馈详细复现步骤或者文件日志等信息 and removed 状态:待处理 已分配给相关处理人等待处理人处理并更新状态 labels Dec 21, 2021
@youliyuan-fit2cloud youliyuan-fit2cloud added this to the v1.16.0 milestone Dec 21, 2021
AgAngle added a commit that referenced this issue Dec 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
状态:待反馈 等待用户反馈详细复现步骤或者文件日志等信息
Projects
None yet
Development

No branches or pull requests

3 participants