Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 3.2
-
Fix Version/s: EE-3.2.0.GA, 3.3
-
Component/s: Framework, ICE-Components
-
Labels:None
-
Environment:Security
-
Assignee Priority:P2
Description
This is a specific case opened up as part of a detailed analysis (ICE-8771) of a Veracode security report submitted by a customer.
The reported issue was: "External Control of File Name or Path"
The details provided by Veracode were:
This call to java.lang.ClassLoader.getResourceAsStream() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to getResourceAsStream() contains tainted data from the variable path. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getPathInfo. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.
The relevant class is:
com.icesoft.faces.webapp.CompatResourceServlet
void service(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
The task is to review the and attempt to ensure, if possible, that input from the user is sanitized before being used to generate path names.
The reported issue was: "External Control of File Name or Path"
The details provided by Veracode were:
This call to java.lang.ClassLoader.getResourceAsStream() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to getResourceAsStream() contains tainted data from the variable path. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getPathInfo. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters.
The relevant class is:
com.icesoft.faces.webapp.CompatResourceServlet
void service(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse)
The task is to review the and attempt to ensure, if possible, that input from the user is sanitized before being used to generate path names.
Issue Links
- blocks
-
ICE-8771
SECURITY: Potential security improvements related to findings from Veracode security scan
-
- Closed
-
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
| Status | Resolved [ 5 ] | Closed [ 6 ] |
| Security | Private [ 10001 ] |
| Status | Open [ 1 ] | Resolved [ 5 ] |
| Resolution | Fixed [ 1 ] |
| Assignee Priority | P2 [ 10011 ] |
| Summary | External Control of File Name or Path | SECURITY: External Control of File Name or Path |
| Field | Original Value | New Value |
|---|---|---|
| Summary | Placeholder issue | External Control of File Name or Path |
| Issue Type | Bug [ 1 ] | Improvement [ 4 ] |
| Assignee | Deryk Sinotte [ deryk.sinotte ] | |
| Fix Version/s | EE-3.2.0.GA [ 10332 ] | |
| Fix Version/s | 3.3 [ 10370 ] | |
| Reporter | Migration [ remote ] | Deryk Sinotte [ deryk.sinotte ] |
| Affects Version/s | 3.2 [ 10338 ] | |
| Environment | Test | Security |
| Description | Placeholder issue |
This is a specific case opened up as part of a detailed analysis ( The reported issue was: "External Control of File Name or Path" The details provided by Veracode were: This call to java.lang.ClassLoader.getResourceAsStream() contains a path manipulation flaw. The argument to the function is a filename constructed using user-supplied input. If an attacker is allowed to specify all or part of the filename, it may be possible to gain unauthorized access to files on the server, including those outside the webroot, that would be normally be inaccessible to end users. The level of exposure depends on the effectiveness of input validation routines, if any. The first argument to getResourceAsStream() contains tainted data from the variable path. The tainted data originated from an earlier call to javax.servlet.http.HttpServletRequest.getPathInfo. Validate all user-supplied input to ensure that it conforms to the expected format, using centralized data validation routines when possible. When using black lists, be sure that the sanitizing routine performs a sufficient number of iterations to remove all instances of disallowed characters. The relevant class is: com.icesoft.faces.webapp.CompatResourceServlet void service(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) The task is to review the and attempt to ensure, if possible, that input from the user is sanitized before being used to generate path names. |
| Component/s | Components [ 10012 ] | |
| Component/s | Framework [ 10013 ] |