Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

path traversal if path contains rootbucket #221

Closed
jonnytest1 opened this issue Nov 24, 2022 · 5 comments · Fixed by #357
Closed

path traversal if path contains rootbucket #221

jonnytest1 opened this issue Nov 24, 2022 · 5 comments · Fixed by #357
Assignees
Labels
vulnerability bug that poses a security risk

Comments

@jonnytest1
Copy link

jonnytest1 commented Nov 24, 2022

https://github.com/adorsys/datasafe/blob/develop/datasafe-storage/datasafe-storage-impl-s3/src/main/java/de/adorsys/datasafe/storage/impl/s3/StaticBucketRouter.java#L27

if the path provided as DocumentFQN to methods like storeDocument contains the rootbucket string in any way (even if it isnt at the start of the string )
everything in front of it will be stripped and allow writing to arbitrary files if any part of the path is user controlled by prefixing the user controlled part with a rootbucket and then adding the remaining folder structure completely ignoring any kind of user restrictions and allowing overwriting of system or other user's files

example
rootbucket : "bucket"
datasafepath: "users/myuserid/private/files/usercontrolled.aes"
vulnerable datasafepath: "users/myuserid/private/files/bucket/users/otheruser/private/files/somefile.aes"

#@ing some people as it seems kinda important :)
@max402 @jkroepke @valb3r

@francis-pouatcha
Copy link
Member

Looking at public String resourceKey(AbsoluteLocation resource) {...} we assume the resource is an absolute location. Meaning it must carry the bucketName. Using resourcePath.substring(resourcePath.indexOf(bucketName) + bucketName.length()) we trim the first occurrence of the string bucketName. If the resource key contains a member matching the bucketName, this won't be affected.

This is, the resource type T in AbsoluteLocation<T> must make sure the absolute resource path always starts with the bucketName. Therefore, the "vulnerable datasafepath" stated above is not a valid reference to an absolute location.

@jonnytest1
Copy link
Author

jonnytest1 commented Jan 9, 2023

so then the actual error is that the WriteToInboxImpl.java doesnt prefix the rootbucket ?

@jonnytest1
Copy link
Author

jonnytest1 commented Feb 15, 2023

wel it doesnt make sure the request is prefixed wtih the root bucket . we'Re using InboxService.write(WriteRequest.forDefaultPublic()) to write things into the inbox so either the WriteRequest should make sure the rootBucket is prepended (though its not gonna be convenient to inject it there since its staic) or the WriteToInboxImpl.java should make it sure when reading out the request.getLocation() or alternatively somewhere in the following resolver.resolveRelativeToPublicInbox

@AssahBismarkabah
Copy link
Collaborator

Hello @francis-pouatcha this change implies indirectly ensuring that the file paths in the generateUserWithInboxAndOutbox function and related test methods are correctly set up. As it is crucial to avoid NoSuchFileException , are there any other ways we can handle this ?

https://github.com/adorsys/datasafe/blob/develop/datasafe-examples/datasafe-examples-business/src/test/java/de/adorsys/datasafe/examples/business/filesystem/BaseUserOperationsTestWithDefaultDatasafeTest.java

max402 added a commit that referenced this issue Sep 17, 2024
@AssahBismarkabah AssahBismarkabah linked a pull request Sep 19, 2024 that will close this issue
max402 added a commit that referenced this issue Sep 24, 2024
max402 added a commit that referenced this issue Oct 7, 2024
max402 added a commit that referenced this issue Oct 7, 2024
max402 added a commit that referenced this issue Oct 7, 2024
max402 added a commit that referenced this issue Oct 7, 2024
max402 added a commit that referenced this issue Oct 7, 2024
@AssahBismarkabah AssahBismarkabah linked a pull request Oct 7, 2024 that will close this issue
@AssahBismarkabah AssahBismarkabah added the vulnerability bug that poses a security risk label Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
vulnerability bug that poses a security risk
Projects
Development

Successfully merging a pull request may close this issue.

3 participants