🐞
VulnInsights
  • VulnInsights
  • reporting-templates
    • Open Redirect
  • web-app-vulnerabilities
    • API Testing
    • GraphQL
    • open-redirect
  • secure-coding
    • docs
      • CWE-22
        • dotnet
          • .NET Deserialisation
        • groovy
          • bigbluebutton-lfi
        • java
          • path-traversal-metasphere
      • CWE-23
        • python
          • anything-llm-arbitrary-file-deletion
      • CWE-338
        • java
          • Overview
      • CWE-89
        • javascript
          • Overview
      • CWE-98
        • php
          • Overview
Powered by GitBook
On this page

Was this helpful?

Last updated 1 year ago

Overview

This vulnerability was reported by

Source link for the reported vulnerabilities are as follows:

  • https://huntr.com/bounties/b7753929-b7bf-4072-9ff0-1ff62baba278/

Path Traversal in AttachmentService.java

The problem with the following code is that belongId is something which is user-controlled input and since it is being concatenated to the path which is later used for saving the uploaded file. Now, since we control the belongId we can just give ../ characters to traverse through the system.

Patch

The patch is rather simple but effective here as now there's a check for / character in the belongId, if there is an exception will be thrown.

How to Identify Similar vulnerabilities

It is very important to look into the functions which handles file based operations and if the user-controlled data is being processed in any way which can affect the path of the files.

  • Overview
  • Path Traversal in AttachmentService.java
PreviousjavaNextCWE-23
  1. secure-coding
  2. docs
  3. CWE-22
  4. java

path-traversal-metasphere

lujiefsi
How to Identify Similar vulnerabilities
    public FileAttachmentMetadata saveAttachment(MultipartFile file, String attachmentType, String belongId) {
        String uploadPath = FileUtils.ATTACHMENT_DIR + "/" + attachmentType + "/" + belongId;
        FileUtils.uploadFile(file, uploadPath);
        final FileAttachmentMetadata fileAttachmentMetadata = new FileAttachmentMetadata();
        fileAttachmentMetadata.setId(UUID.randomUUID().toString());
        fileAttachmentMetadata.setName(file.getOriginalFilename());
        fileAttachmentMetadata.setType(getFileTypeWithoutEnum(fileAttachmentMetadata.getName()));
        fileAttachmentMetadata.setSize(file.getSize());
        fileAttachmentMetadata.setCreateTime(System.currentTimeMillis());
        fileAttachmentMetadata.setUpdateTime(System.currentTimeMillis());
        fileAttachmentMetadata.setCreator(SessionUtils.getUser().getName());
        fileAttachmentMetadata.setFilePath(uploadPath);
        fileAttachmentMetadataMapper.insert(fileAttachmentMetadata);
        return fileAttachmentMetadata;
    }
    public FileAttachmentMetadata saveAttachment(MultipartFile file, String attachmentType, String belongId) {
        if (attachmentType.contains("/") || belongId.contains("/")) {
            MSException.throwException(Translator.get("invalid_parameter"));
        }
        String uploadPath = FileUtils.ATTACHMENT_DIR + "/" + attachmentType + "/" + belongId;
        FileUtils.uploadFile(file, uploadPath);
        final FileAttachmentMetadata fileAttachmentMetadata = new FileAttachmentMetadata();
        fileAttachmentMetadata.setId(UUID.randomUUID().toString());
        fileAttachmentMetadata.setName(file.getOriginalFilename());
        fileAttachmentMetadata.setType(getFileTypeWithoutEnum(fileAttachmentMetadata.getName()));
        fileAttachmentMetadata.setSize(file.getSize());
        fileAttachmentMetadata.setCreateTime(System.currentTimeMillis());
        fileAttachmentMetadata.setUpdateTime(System.currentTimeMillis());
        fileAttachmentMetadata.setCreator(SessionUtils.getUser().getName());
        fileAttachmentMetadata.setFilePath(uploadPath);
        fileAttachmentMetadataMapper.insert(fileAttachmentMetadata);
        return fileAttachmentMetadata;
    }