logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-82j3-hf72-7x93 com.reposilite:reposilite-backend

Package

Manager: maven
Name: com.reposilite:reposilite-backend
Vulnerable Version: >=3.3.0 <3.5.12

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

Reposilite vulnerable to path traversal while serving javadoc expanded files (arbitrary file read) (`GHSL-2024-074`) ### Summary Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files. ### Details The problem lies in the way how the expanded javadoc files are served. The `GET /javadoc/{repository}/<gav>/raw/<resource>` route uses the `<resource>` path parameter to find the file in the `javadocUnpackPath` directory and returns it's content to the user. [JavadocFacade.kt#L77](https://github.com/dzikoysk/reposilite/blob/68b73f19dc9811ccf10936430cf17f7b0e622bd6/reposilite-backend/src/main/kotlin/com/reposilite/javadocs/JavadocFacade.kt#L77): ```kotlin fun findRawJavadocResource(request: JavadocRawRequest): Result<JavadocRawResponse, ErrorResponse> = with (request) { mavenFacade.canAccessResource(accessToken, repository, gav) .flatMap { javadocContainerService.loadContainer(accessToken, repository, gav) } .filter({ Files.exists(it.javadocUnpackPath.resolve(resource.toString())) }, { notFound("Resource $resource not found") }) .map { JavadocRawResponse( contentType = supportedExtensions[resource.getExtension()] ?: ContentType.APPLICATION_OCTET_STREAM, content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toString())) ) } } ``` In this case, the `<resource>` path parameter can contain path traversal characters such as `/../../`. Since the path is concatenated with the main directory, it opens the possibility to read files outside the `javadocUnpackPath` directory. #### Impact This issue may lead to Arbitrary File Read on the server. A potential attacker can read some sensitive file, such as `reposilite.db`, that contains the sqlite database used by Reposilite. This database contains the sensitive information used by Reposilite, including passwords and hashes of issued tokens. Also, the `configuration.cdn` file can be read, which contains other sensitive properties. ### Steps to reproduce 1. Start the Reposilite instance on http://localhost:8080/ 2. Find at least one javadoc file in the hosted repositories. For example, the default test workspace contains the `/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar` archive that is suitable for our attack. 3. Send a GET request to http://127.0.0.1:8080/javadoc/releases/javadoc/1.0.0/raw/%2e%2e%5c%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2freposilite.db When this request is processed on the server, Reposilite tries to unpack the `/repositories/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar` file into the `/javadocs/releases/javadoc/1.0.0/.cache/unpack` folder. Then, it tries to read the `../../../../../../reposilite.db` file from this folder, which triggers the path traversal attack. ![image](https://github.com/dzikoysk/reposilite/assets/44605151/2f2638e2-2b6a-498d-9ca3-bacc84041d8a) ### Remediation Normalize (remove all occurrences of `/../`) the `<resource>` path parameter before using it when reading the file. For example: ```kotlin content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toPath())) ``` Changing `resource.toString()` to `resource.toPath()` is enough here as the `com.reposilite.storage.api.Location#toPath` method normalizes the string internally.

Metadata

Created: 2024-11-04T23:23:08Z
Modified: 2024-11-04T23:23:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-82j3-hf72-7x93/GHSA-82j3-hf72-7x93.json
CWE IDs: ["CWE-22"]
Alternative ID: N/A
Finding: F063
Auto approve: 1