[FOLIO-3636] mod-workflow postHandleEventsWithFile Path Traversal vulnerability Created: 09/Nov/22 Updated: 27/Feb/23 Resolved: 27/Feb/23 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P2 |
| Reporter: | Julian Ladisch | Assignee: | Jeremy Huff |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Sprint: | |
| Development Team: | Other dev |
| RCA Group: | Implementation coding issue |
| Description |
|
overwrites a file at a path location provided in the HTTP request. How is the .jar file protected from being overwritten (Remote Code Execution)? How are files from tenant a being protected from getting overwritten by tenant b? Learn more about Relative Path Traversal at https://cwe.mitre.org/data/definitions/23.html |
| Comments |
| Comment by William Welling [ 09/Nov/22 ] |
|
Make jar file read only. |
| Comment by Ann-Marie Breaux (Inactive) [ 10/Nov/22 ] |
|
Hi Julian Ladisch and William Welling Which dev team should this bug belong to? |
| Comment by Julian Ladisch [ 15/Nov/22 ] |
|
William Welling : Can you add mod-workflow to https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix so that we more easily can assign a Jira to a po, a lead developer or a dev team? |
| Comment by Craig McNally [ 17/Nov/22 ] |
|
This module is not the responsibility of the core-platform team. We need to identify which team (or individual) is responsible. William Welling it seems like you've been a main contributor to this codebase, are you the de-factor owner? |
| Comment by William Welling [ 21/Nov/22 ] |
|
Craig McNally, if we wish to exclude a workflow engine from core-platform, where would you recommend? |
| Comment by Julian Ladisch [ 25/Nov/22 ] |
|
mod-workflow is not included into platform-complete or platform-core: Therefore the "Core/Complete" column on https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix should not list mod-workflow as core or complete. |
| Comment by Julian Ladisch [ 25/Nov/22 ] |
|
If there is no team and no product owner for mod-workflow this should be indicated in the column ("none"). A contact should be put into the "Dev Lead/Contact" column unless the module is no longer maintained. |
| Comment by William Welling [ 05/Dec/22 ] |
|
Is there a CI that can perform relative path traversal analysis and report? |
| Comment by William Welling [ 05/Dec/22 ] |
|
Wonder if a dependency or code in mod-workflow can execute arbitrary file placed on classpath without overriding? Even if overriding, does the path traversal describe potential overrides? I am thinking we can ensure no override by requiring the directory path request parameter to be outside the scope of runtime. Julian Ladisch, would that be an acceptable validation to prevent this vulnerability? Then again, what dependency is compiling to byte code at runtime? |
| Comment by William Welling [ 05/Dec/22 ] |
|
"How are files from tenant a being protected from getting overwritten by tenant b?" This is a fair assessment. We will have to scope the directory path with a parent directory of the tenant. |
| Comment by William Welling [ 05/Dec/22 ] |