vuln-fix: Partial Path Traversal Vulnerability

JLLeitschuh · TeamModerne · JLLeitschuh · commit 5950fbdede24 · 2022-09-21T15:22:25.000Z
This fixes a partial path traversal vulnerability. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`; however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`. Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Severity: Medium CVSSS: 6.1 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability) Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com> Bug-tracker: JLLeitschuh/security-research#13 Co-authored-by: Moderne <team@moderne.io>
diff --git a/src/main/java/com/simpligility/maven/plugins/android/phase09package/ApklibMojo.java b/src/main/java/com/simpligility/maven/plugins/android/phase09package/ApklibMojo.java
@@ -258,10 +258,9 @@ protected void addJavaResource( JarArchiver jarArchiver, Resource javaResource,
             final File javaResourceDirectory = new File( javaResource.getDirectory() );
             if ( javaResourceDirectory.exists() )
             {
-                final String resourcePath = javaResourceDirectory.getCanonicalPath();
                 final String apkLibUnpackBasePath = getUnpackedLibsDirectory().getCanonicalPath();
                 // Don't include our dependencies' resource dirs.
-                if ( ! resourcePath.startsWith( apkLibUnpackBasePath ) )
+                if ( ! javaResourceDirectory.getCanonicalFile().toPath().startsWith(apkLibUnpackBasePath) )
                 {
                     final DefaultFileSet javaResourceFileSet = new DefaultFileSet();
                     javaResourceFileSet.setDirectory( javaResourceDirectory );

Original file line number	Diff line number	Diff line change
`@@ -258,10 +258,9 @@ protected void addJavaResource( JarArchiver jarArchiver, Resource javaResource,`
`258`	`258`	`final File javaResourceDirectory = new File( javaResource.getDirectory() );`
`259`	`259`	`if ( javaResourceDirectory.exists() )`
`260`	`260`	`{`
`261`		`- final String resourcePath = javaResourceDirectory.getCanonicalPath();`
`262`	`261`	`final String apkLibUnpackBasePath = getUnpackedLibsDirectory().getCanonicalPath();`
`263`	`262`	`// Don't include our dependencies' resource dirs.`
`264`		`- if ( ! resourcePath.startsWith( apkLibUnpackBasePath ) )`
	`263`	`+ if ( ! javaResourceDirectory.getCanonicalFile().toPath().startsWith(apkLibUnpackBasePath) )`
`265`	`264`	`{`
`266`	`265`	`final DefaultFileSet javaResourceFileSet = new DefaultFileSet();`
`267`	`266`	`javaResourceFileSet.setDirectory( javaResourceDirectory );`