You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Andreas Veithen (JIRA)" <ji...@apache.org> on 2017/09/10 20:20:00 UTC
[jira] [Commented] (AXIS2-5882) Path Manipulation in
WSDL20ToAxisServiceBuilder and PreProcessorInputStream
[ https://issues.apache.org/jira/browse/AXIS2-5882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16160467#comment-16160467 ]
Andreas Veithen commented on AXIS2-5882:
----------------------------------------
AFAICS {{PreProcessorInputStream}} is used by the IDL processor to process {{#include}} statements. This is a legitimate use of path manipulation. I don't see how this would satisfy any of the two conditions you mentioned.
Please note that naive implementations of static code analyzers designed to detect security issues will produce a lot of false positives like this. Please don't create bugs unless you have confirmed that the reported "issues" are actual security problems.
> Path Manipulation in WSDL20ToAxisServiceBuilder and PreProcessorInputStream
> ---------------------------------------------------------------------------
>
> Key: AXIS2-5882
> URL: https://issues.apache.org/jira/browse/AXIS2-5882
> Project: Axis2
> Issue Type: Bug
> Components: jaxws
> Affects Versions: 1.7.6
> Reporter: Donald Kwakkel
> Priority: Critical
> Labels: security
>
> Attackers can control the filesystem path argument to File() at PreProcessorInputStream.java line 218, which allows them to access or modify otherwise protected files.
> Explanation:
> Path manipulation errors occur when the following two conditions are met:
> 1. An attacker can specify a path used in an operation on the filesystem.
> 2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
> For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.
> In this case, the attacker can specify the value that enters the program at readLine() in PreProcessorInputStream.java at line 86, and this value is used to access a filesystem resource at File() in PreProcessorInputStream.java at line 218, 230, 232, 250, 253, 278.
> Possible solution: Make sure the absolute filename is validated against known/configured valid base path.
> Also:
> Attackers can control the filesystem path argument to File() at WSDL20ToAxisServiceBuilder.java line 153, which allows them to access or modify otherwise protected files. In this case, the attacker can specify the value that enters the program at getHeaderField() in CodeGenerationEngine.java at line 101, and this value is used to access a filesystem resource at File() in WSDL20ToAxisServiceBuilder.java at line 153 and 1281.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org