Skip to content

Path traversal vulnerability, when using Directory on Windows #1332

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
idringvard opened this issue Oct 18, 2018 · 1 comment
Closed

Path traversal vulnerability, when using Directory on Windows #1332

idringvard opened this issue Oct 18, 2018 · 1 comment
Assignees
@thboileau
Labels
Priority: blocking Vulnerabilities

Comments

@idringvard
Copy link

Affected OS: Windows
Restlet version: 2.3.10

When use static files serving, it is possible to bypass upper directory check and download files, that are outside configured directory.

Considering following directory structure

 C:\
  | - static
  | - | - resources
  | - | - | - html
  | - Windows
  | - | - .......

and following code:

public class PathTraversalServer {

    public static void main(String[] args) {
        Component component = new Component();
        component.getServers().add(Protocol.HTTP, 8080);
        component.getClients().add(Protocol.FILE);
        component.getDefaultHost().attach("", new FileDownloadApplication());
        try {
            component.start();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    static class FileDownloadApplication extends Application {

        @Override
        public Restlet createInboundRoot() {
            Router router = new Router(getContext());
            router.setDefaultMatchingMode(Template.MODE_EQUALS);
            Directory dir = new Directory(getContext(), "file:///C:/static/resources/html");
            router.attach("/static", dir);
            return router;
        }
    }
}

then when navigate in browser using following URL:
http://localhost:8080/static/..%5c..%5c..%5cWindows%5cnotepad.exe, it is possible to download notepad.exe file.

When debugging, fond that above URL transates into following local resource URI:
file:///C:/static/resource/html/..\\..\\..\\Windows\\notepad.exe, which is valid Windows URI and, which able to bypass DirectoryServerResource.preventUpperDirectoryAccess() check.

To workaround problem I use followng code:

public class PathTraversalServer {

    public static void main(String[] args) {
        Component component = new Component();
        component.getServers().add(Protocol.HTTP, 8080);
        component.getClients().add(Protocol.FILE);
        component.getDefaultHost().attach("", new FileDownloadApplication());
        try {
            component.start();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    static class FileDownloadApplication extends Application {

        @Override
        public Restlet createInboundRoot() {
            Router router = new Router(getContext());
            router.setDefaultMatchingMode(Template.MODE_EQUALS);
            Directory dir = new Directory(getContext(), "file:///C:/static/resources/html");
            dir.setTargetClass(StopPathTraversalResource.class);
            router.attach("/static", dir);
            return router;
        }
    }
    
    static class StopPathTraversalResource extends DirectoryServerResource {

        @Override
        public void preventUpperDirectoryAccess() {
            try {
                URI targetUri = new URI(getTargetUri());
                Path targetPath = Paths.get(targetUri).normalize();
                URI baseUri = new URI(getDirectory().getRootRef().toString());
                Path basePath = Paths.get(baseUri).normalize();
                if (!targetPath.startsWith(basePath)) {
                    throw new ResourceException(Status.CLIENT_ERROR_FORBIDDEN);
                }
            } catch (URISyntaxException e) {
                throw new ResourceException(e);
            }
        }
    }
}
@jlouvel
Copy link
Collaborator

jlouvel commented May 12, 2024

@thboileau Let's work to get this fixed in 2.4.4 and 2,5 branch.

thboileau added a commit that referenced this issue Jun 1, 2024
@thboileau
Enforce directory path transversal issue. Issue #1332
1558c7b
@thboileau thboileau mentioned this issue Jun 1, 2024
Merged
thboileau added a commit that referenced this issue Jun 1, 2024
@thboileau
Enforce directory path transversal issue. Issue #1332
43aa58b
thboileau added a commit that referenced this issue Jun 8, 2024
@thboileau @jlouvel
Enforce directory path transversal issue. Issue #1332 (#1415)
efa02f1 
* Enforce directory path transversal issue. Issue #1332

* Added unit test case

* Fixed remaining issues under Windows

 - Fixed detection logic for directory inclusion check
 - toString for Directory now indicates the root URI

---------

Co-authored-by: Jerome Louvel <[email protected]>
thboileau added a commit that referenced this issue Jun 9, 2024
@thboileau
Updated changes.txt. Issue #1332
55dac1b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thboileau thboileau

Labels
Priority: blocking Vulnerabilities
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jlouvel @thboileau @idringvard