<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:29:35 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-3636] mod-workflow postHandleEventsWithFile Path Traversal vulnerability</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-3636</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/mod-workflow/blob/13289327f0b4c14364387fb50e00d5f6b3571306/service/src/main/java/org/folio/rest/workflow/controller/EventController.java#L93&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-workflow/blob/13289327f0b4c14364387fb50e00d5f6b3571306/service/src/main/java/org/folio/rest/workflow/controller/EventController.java#L93&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;overwrites a file at a path location provided in the HTTP request.&lt;/p&gt;

&lt;p&gt;How is the .jar file protected from being overwritten (Remote Code Execution)?&lt;/p&gt;

&lt;p&gt;How are files from tenant a being protected from getting overwritten by tenant b?&lt;/p&gt;

&lt;p&gt;Learn more about Relative Path Traversal at &lt;a href=&quot;https://cwe.mitre.org/data/definitions/23.html&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://cwe.mitre.org/data/definitions/23.html&lt;/a&gt;&lt;/p&gt;</description>
                <environment></environment>
        <key id="82341">FOLIO-3636</key>
            <summary>mod-workflow postHandleEventsWithFile Path Traversal vulnerability</summary>
                <type id="10001" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium">Bug</type>
                                            <priority id="10001" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p2.svg">P2</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="557058:ddc9bb7b-6444-4731-9688-566a04c9307c">Jeremy Huff</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>security</label>
                            <label>security-reviewed</label>
                    </labels>
                <created>Wed, 9 Nov 2022 07:59:41 +0000</created>
                <updated>Mon, 27 Feb 2023 15:31:26 +0000</updated>
                            <resolved>Mon, 27 Feb 2023 15:31:26 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>4</watches>
                                                                <comments>
                                                            <comment id="198384" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Wed, 9 Nov 2022 17:06:53 +0000"  >&lt;p&gt;Make jar file read only.&lt;/p&gt;</comment>
                                                            <comment id="198386" author="5af5e627525ba96b58654f12" created="Thu, 10 Nov 2022 18:08:14 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; and &lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Aabe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; class=&quot;user-hover&quot; rel=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; data-account-id=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; accountid=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; rel=&quot;noreferrer&quot;&gt;William Welling&lt;/a&gt; Which dev team should this bug belong to?&lt;/p&gt;</comment>
                                                            <comment id="198387" author="5ee89462f7aa140abd82d11d" created="Tue, 15 Nov 2022 15:03:01 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Aabe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; class=&quot;user-hover&quot; rel=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; data-account-id=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; accountid=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; rel=&quot;noreferrer&quot;&gt;William Welling&lt;/a&gt; : Can you add mod-workflow to &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix&lt;/a&gt; so that we more easily can assign a Jira to a po, a lead developer or a dev team?&lt;/p&gt;</comment>
                                                            <comment id="198389" author="5cf6c546b87c300f36eb7b9a" created="Thu, 17 Nov 2022 16:38:03 +0000"  >&lt;p&gt;This module is not the responsibility of the core-platform team.&#160; We need to identify which team (or individual) is responsible. &#160;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3Aabe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; class=&quot;user-hover&quot; rel=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; data-account-id=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; accountid=&quot;557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577&quot; rel=&quot;noreferrer&quot;&gt;William Welling&lt;/a&gt; it seems like you&apos;ve been a main contributor to this codebase, are you the de-factor owner?&#160;&#160;&lt;/p&gt;</comment>
                                                            <comment id="198391" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Mon, 21 Nov 2022 20:29:28 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5cf6c546b87c300f36eb7b9a&quot; class=&quot;user-hover&quot; rel=&quot;5cf6c546b87c300f36eb7b9a&quot; data-account-id=&quot;5cf6c546b87c300f36eb7b9a&quot; accountid=&quot;5cf6c546b87c300f36eb7b9a&quot; rel=&quot;noreferrer&quot;&gt;Craig McNally&lt;/a&gt;, if we wish to exclude a workflow engine from core-platform, where would you recommend?&lt;/p&gt;</comment>
                                                            <comment id="198393" author="5ee89462f7aa140abd82d11d" created="Fri, 25 Nov 2022 10:04:52 +0000"  >&lt;p&gt;mod-workflow is not included into platform-complete or platform-core:&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/platform-complete/blob/master/install-extras.json&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-complete/blob/master/install-extras.json&lt;/a&gt;&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/platform-core/blob/master/install-extras.json&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/platform-core/blob/master/install-extras.json&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Therefore the &quot;Core/Complete&quot; column on &lt;a href=&quot;https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://folio-org.atlassian.net/wiki/display/REL/Team+vs+module+responsibility+matrix&lt;/a&gt; should not list mod-workflow as core or complete.&lt;/p&gt;</comment>
                                                            <comment id="198395" author="5ee89462f7aa140abd82d11d" created="Fri, 25 Nov 2022 10:48:08 +0000"  >&lt;p&gt;If there is no team and no product owner for mod-workflow this should be indicated in the column (&quot;none&quot;).&lt;/p&gt;

&lt;p&gt;A contact should be put into the &quot;Dev Lead/Contact&quot; column unless the module is no longer maintained.&lt;/p&gt;</comment>
                                                            <comment id="198396" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Mon, 5 Dec 2022 14:04:37 +0000"  >&lt;p&gt;Is there a CI that can perform relative path traversal analysis and report?&lt;/p&gt;</comment>
                                                            <comment id="198397" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Mon, 5 Dec 2022 14:11:53 +0000"  >&lt;p&gt;Wonder if a dependency or code in mod-workflow can execute arbitrary file placed on classpath without overriding? Even if overriding, does the path traversal describe potential overrides?&lt;/p&gt;

&lt;p&gt;I am thinking we can ensure no override by requiring the directory path request parameter to be outside the scope of runtime.&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt;, would that be an acceptable validation to prevent this vulnerability?&lt;/p&gt;

&lt;p&gt;Then again, what dependency is compiling to byte code at runtime?&lt;/p&gt;</comment>
                                                            <comment id="198398" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Mon, 5 Dec 2022 14:18:11 +0000"  >&lt;p&gt;&quot;How are files from tenant a being protected from getting overwritten by tenant b?&quot;&lt;/p&gt;

&lt;p&gt;This is a fair assessment. We will have to scope the directory path with a parent directory of the tenant.&lt;/p&gt;</comment>
                                                            <comment id="198400" author="557058:abe52938-e5a4-4b11-be6c-c0d83a4b2577" created="Mon, 5 Dec 2022 14:45:49 +0000"  >&lt;p&gt;&lt;a href=&quot;https://github.com/folio-org/mod-workflow/pull/61&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;�� FOLIO-3636: Namespace event handle files to tenant by wwelling &#183; Pull Request #61 &#183; folio-org/mod-workflow (github.com)&lt;/a&gt;&lt;/p&gt;</comment>
                    </comments>
                    <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10170"><![CDATA[Other dev]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                <customfield id="customfield_10063" key="com.atlassian.jira.plugin.system.customfieldtypes:float">
                        <customfieldname>PO Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0.0</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                    <customfield id="customfield_10106" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>RCA Group</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10372"><![CDATA[Implementation coding issue]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                            <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|i05qsz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Wed, 9 Nov 2022 17:06:53 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>