[FOLIO-3636] mod-workflow postHandleEventsWithFile Path Traversal vulnerability Created: 09/Nov/22  Updated: 27/Feb/23  Resolved: 27/Feb/23

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P2
Reporter: Julian Ladisch Assignee: Jeremy Huff
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint:
Development Team: Other dev
RCA Group: Implementation coding issue

 Description   

https://github.com/folio-org/mod-workflow/blob/13289327f0b4c14364387fb50e00d5f6b3571306/service/src/main/java/org/folio/rest/workflow/controller/EventController.java#L93

overwrites a file at a path location provided in the HTTP request.

How is the .jar file protected from being overwritten (Remote Code Execution)?

How are files from tenant a being protected from getting overwritten by tenant b?

Learn more about Relative Path Traversal at https://cwe.mitre.org/data/definitions/23.html



 Comments   
Comment by William Welling [ 09/Nov/22 ]

Make jar file read only.

Comment by Ann-Marie Breaux (Inactive) [ 10/Nov/22 ]

Hi Julian Ladisch and William Welling Which dev team should this bug belong to?

Comment by Julian Ladisch [ 15/Nov/22 ]

William Welling : Can you add mod-workflow to https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix so that we more easily can assign a Jira to a po, a lead developer or a dev team?

Comment by Craig McNally [ 17/Nov/22 ]

This module is not the responsibility of the core-platform team.  We need to identify which team (or individual) is responsible.  William Welling it seems like you've been a main contributor to this codebase, are you the de-factor owner?  

Comment by William Welling [ 21/Nov/22 ]

Craig McNally, if we wish to exclude a workflow engine from core-platform, where would you recommend?

Comment by Julian Ladisch [ 25/Nov/22 ]

mod-workflow is not included into platform-complete or platform-core:
https://github.com/folio-org/platform-complete/blob/master/install-extras.json
https://github.com/folio-org/platform-core/blob/master/install-extras.json

Therefore the "Core/Complete" column on https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix should not list mod-workflow as core or complete.

Comment by Julian Ladisch [ 25/Nov/22 ]

If there is no team and no product owner for mod-workflow this should be indicated in the column ("none").

A contact should be put into the "Dev Lead/Contact" column unless the module is no longer maintained.

Comment by William Welling [ 05/Dec/22 ]

Is there a CI that can perform relative path traversal analysis and report?

Comment by William Welling [ 05/Dec/22 ]

Wonder if a dependency or code in mod-workflow can execute arbitrary file placed on classpath without overriding? Even if overriding, does the path traversal describe potential overrides?

I am thinking we can ensure no override by requiring the directory path request parameter to be outside the scope of runtime.

Julian Ladisch, would that be an acceptable validation to prevent this vulnerability?

Then again, what dependency is compiling to byte code at runtime?

Comment by William Welling [ 05/Dec/22 ]

"How are files from tenant a being protected from getting overwritten by tenant b?"

This is a fair assessment. We will have to scope the directory path with a parent directory of the tenant.

Comment by William Welling [ 05/Dec/22 ]

🐛 FOLIO-3636: Namespace event handle files to tenant by wwelling · Pull Request #61 · folio-org/mod-workflow (github.com)

Generated at Thu Feb 08 23:29:35 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.