vuln-fix: Partial Path Traversal Vulnerability

This fixes a partial path traversal vulnerability. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`. To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although `/outnot` is not under the `/out` directory. It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object. For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`; however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`. Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Severity: Medium CVSSS: 6.1 Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability) Reported-by: Jonathan Leitschuh <[email protected]> Signed-off-by: Jonathan Leitschuh <[email protected]> Bug-tracker: JLLeitschuh/security-research#13 Co-authored-by: Moderne <[email protected]>
BulkSecurityGeneratorProjectV2 · Jul 29, 2022 · 9db360c · 9db360c
1 parent cb92310
commit 9db360c
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 5 deletions.
diff --git a/src/main/java/com/laytonsmith/PureUtilities/VirtualFS/RealFileSystemLayer.java b/src/main/java/com/laytonsmith/PureUtilities/VirtualFS/RealFileSystemLayer.java
@@ -23,17 +23,17 @@ public RealFileSystemLayer(VirtualFile path, VirtualFileSystem fileSystem, Strin
 		super(path, fileSystem, symlink);
 		if(symlink == null) {
 			real = new File(fileSystem.root, path.getPath());
-			if(!real.getCanonicalPath().startsWith(fileSystem.root.getCanonicalPath())) {
+			if(!real.getCanonicalFile().toPath().startsWith(fileSystem.root.getCanonicalFile().toPath())) {
 				throw new PermissionException(path.getPath() + " extends above the root directory of this file system, and does not point to a valid file.");
 			}
 		} else {
 			File symlinkRoot = new File(fileSystem.symlinkFile, symlink);
 			real = new File(symlinkRoot, path.getPath());
 			//If the path extends above the symlink, disallow it
-			if(!real.getCanonicalPath().startsWith(symlinkRoot.getCanonicalPath())) {
+			if(!real.getCanonicalFile().toPath().startsWith(symlinkRoot.getCanonicalFile().toPath())) {
 				//Unless of course, the path is still within the full real path, then
 				//eh, we'll allow it.
-				if(!real.getCanonicalPath().startsWith(fileSystem.root.getCanonicalPath())) {
+				if(!real.getCanonicalFile().toPath().startsWith(fileSystem.root.getCanonicalFile().toPath())) {
 					throw new PermissionException(path.getPath() + " extends above the root directory of this file system, and does not point to a valid file.");
 				}
 			}

diff --git a/src/main/java/com/laytonsmith/core/Security.java b/src/main/java/com/laytonsmith/core/Security.java
@@ -34,7 +34,7 @@ public static boolean CheckSecurity(String location) throws IOException {
 					baseFinal = baseFinal.substring(0, baseFinal.length() - 1);
 				}
 				File loc = new File(location);
-				if(loc.getCanonicalPath().startsWith(baseFinal)) {
+				if(loc.getCanonicalFile().toPath().startsWith(baseFinal)) {
 					return true;
 				}
 			}

diff --git a/src/main/java/com/laytonsmith/core/asm/AsmInstaller.java b/src/main/java/com/laytonsmith/core/asm/AsmInstaller.java
@@ -200,7 +200,7 @@ public static File getWindowsBuildToolsLocation() {
 			}
 			for(File fullVersion : buildTool.listFiles()) {
 				try {
-					if(fullVersion.getCanonicalPath().startsWith(withVersion.getCanonicalPath())) {
+					if(fullVersion.getCanonicalFile().toPath().startsWith(withVersion.getCanonicalFile().toPath())) {
 						return fullVersion;
 					}
 				} catch (IOException e) {