Lack of data validation - Path Traversal In io.micronaut:micronaut-http-client
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in micronaut-core With a basic configuration like
router: static-resources: assets: enabled: true mapping: /.assets/public/** paths: file:/home/lstrmiska/test/
it is possible to access any file from a filesystem, using "/../../" in URL, as Micronaut does not restrict file access to configured paths.
Repro Steps
create a file test.txt in /home/lstrmiska
start micronaut
execute command
curl -v --path-as-is "http://localhost:8080/.assets/public/../test.txt"
Impact
Micronaut can potentially leak sensitive information.
See https://cwe.mitre.org/data/definitions/22.html
Patches
diff --git a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java index 2f5a91403..19d3b7f05 100644 --- a/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java +++ b/core/src/main/java/io/micronaut/core/io/file/DefaultFileSystemResourceLoader.java @@ -69,6 +69,9 @@ public class DefaultFileSystemResourceLoader implements FileSystemResourceLoader @Override public Optional<InputStream> getResourceAsStream(String path) { Path filePath = getFilePath(normalize(path));...
Workarounds
do not use ** in mapping, use only * which exposes only flat structure of a directory not allowing traversal
run micronaut in chroot (linux only)
References
See https://cwe.mitre.org/data/definitions/22.html
For more information
If you have any questions or comments about this advisory:
Open an issue in Github
Email us at [email protected]
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 maven | 2.5.9 | ||
maven | 2.5.9 |
Aliases
References