GHSA-CJX7-399X-P2RJ

Vulnerability from github – Published: 2021-07-26 21:15 – Updated: 2021-07-28 15:37
VLAI?
Summary
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core
Details

With a basic configuration like

router:
  static-resources:
    assets:
      enabled: true
      mapping: /.assets/public/**
      paths: file:/home/lstrmiska/test/

it is possible to access any file from a filesystem, using "/../../" in URL, as Micronaut does not restrict file access to configured paths.

Repro Steps - create a file test.txt in /home/lstrmiska - start micronaut - execute command curl -v --path-as-is "http://localhost:8080/.assets/public/../test.txt"

Impact

Micronaut can potentially leak sensitive information.

See https://cwe.mitre.org/data/definitions/22.html

Patches

diff --git a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java
index 2f5a91403..19d3b7f05 100644
--- a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java
+++ b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java
@@ -69,6 +69,9 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader
     @Override
     public Optional<InputStream> getResourceAsStream(String path) {
         Path filePath = getFilePath(normalize(path));
+        if (pathOutsideBase(filePath)) {
+            return Optional.empty();
+        }
         try {
             return Optional.of(Files.newInputStream(filePath));
         } catch (IOException e) {
@@ -79,7 +82,7 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader
     @Override
     public Optional<URL> getResource(String path) {
         Path filePath = getFilePath(normalize(path));
-        if (Files.exists(filePath) && Files.isReadable(filePath) && !Files.isDirectory(filePath)) {
+        if (!pathOutsideBase(filePath) && Files.exists(filePath) && Files.isReadable(filePath) && !Files.isDirectory(filePath)) {
             try {
                 URL url = filePath.toUri().toURL();
                 return Optional.of(url);
@@ -117,4 +120,15 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader
     private Path getFilePath(String path) {
         return baseDirPath.map(dir -> dir.resolve(path)).orElseGet(() -> Paths.get(path));
     }
+
+    private boolean pathOutsideBase(Path path) {
+        if (baseDirPath.isPresent()) {
+            Path baseDir = baseDirPath.get();
+            if (path.isAbsolute() == baseDir.isAbsolute()) {
+                Path relativePath = baseDir.relativize(path);
+                return relativePath.startsWith("..");
+            }
+        }
+        return false;
+    }
 }
--

Workarounds

  • do not use ** in mapping, use only * which exposes only flat structure of a directory not allowing traversal
  • run micronaut in chroot (linux only)

References

See https://cwe.mitre.org/data/definitions/22.html

For more information

If you have any questions or comments about this advisory: * Open an issue in Github * Email us at info@micronaut.io

Severity ?
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-http-server-netty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.5.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-32769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-07-22T20:25:11Z",
    "nvd_published_at": "2021-07-16T19:15:00Z",
    "severity": "HIGH"
  },
  "details": "With a basic configuration like\n\n```yaml\nrouter:\n  static-resources:\n    assets:\n      enabled: true\n      mapping: /.assets/public/**\n      paths: file:/home/lstrmiska/test/\n```\n\nit is possible to access any file from a filesystem, using \"/../../\" in URL, as Micronaut does not restrict file access to configured paths. \n\n**Repro Steps**\n- create a file test.txt in /home/lstrmiska\n- start micronaut\n- execute command\n`curl -v --path-as-is \"http://localhost:8080/.assets/public/../test.txt\"`\n\n\n### Impact\n\nMicronaut can potentially leak sensitive information.\n\nSee https://cwe.mitre.org/data/definitions/22.html\n\n### Patches\n\n```\ndiff --git a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java\nindex 2f5a91403..19d3b7f05 100644\n--- a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java\n+++ b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java\n@@ -69,6 +69,9 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader\n     @Override\n     public Optional\u003cInputStream\u003e getResourceAsStream(String path) {\n         Path filePath = getFilePath(normalize(path));\n+        if (pathOutsideBase(filePath)) {\n+            return Optional.empty();\n+        }\n         try {\n             return Optional.of(Files.newInputStream(filePath));\n         } catch (IOException e) {\n@@ -79,7 +82,7 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader\n     @Override\n     public Optional\u003cURL\u003e getResource(String path) {\n         Path filePath = getFilePath(normalize(path));\n-        if (Files.exists(filePath) \u0026\u0026 Files.isReadable(filePath) \u0026\u0026 !Files.isDirectory(filePath)) {\n+        if (!pathOutsideBase(filePath) \u0026\u0026 Files.exists(filePath) \u0026\u0026 Files.isReadable(filePath) \u0026\u0026 !Files.isDirectory(filePath)) {\n             try {\n                 URL url = filePath.toUri().toURL();\n                 return Optional.of(url);\n@@ -117,4 +120,15 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader\n     private Path getFilePath(String path) {\n         return baseDirPath.map(dir -\u003e dir.resolve(path)).orElseGet(() -\u003e Paths.get(path));\n     }\n+\n+    private boolean pathOutsideBase(Path path) {\n+        if (baseDirPath.isPresent()) {\n+            Path baseDir = baseDirPath.get();\n+            if (path.isAbsolute() == baseDir.isAbsolute()) {\n+                Path relativePath = baseDir.relativize(path);\n+                return relativePath.startsWith(\"..\");\n+            }\n+        }\n+        return false;\n+    }\n }\n-- \n\n```\n\n### Workarounds\n\n- do not use ** in mapping, use only * which exposes only flat structure of a directory not allowing traversal\n- run micronaut in chroot (linux only)\n\n### References\n\nSee https://cwe.mitre.org/data/definitions/22.html\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [Github](https://github.com/micronaut-projects/micronaut-core/issues)\n* Email us at [info@micronaut.io](mailto:info@micronaut.io)\n",
  "id": "GHSA-cjx7-399x-p2rj",
  "modified": "2021-07-28T15:37:18Z",
  "published": "2021-07-26T21:15:08Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-cjx7-399x-p2rj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32769"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/a0cfeb13bf1ef5d692d16d4a3b91b34b7456bb11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) in micronaut-core"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.