You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@maven.apache.org by kh...@apache.org on 2022/07/29 14:21:30 UTC

[maven-pmd-plugin] branch BulkSecurityGeneratorProjectV2-fix/JLL/partial-path-traversal-vulnerability updated (b7ba046 -> 2404708)

This is an automated email from the ASF dual-hosted git repository.

khmarbaise pushed a change to branch BulkSecurityGeneratorProjectV2-fix/JLL/partial-path-traversal-vulnerability
in repository https://gitbox.apache.org/repos/asf/maven-pmd-plugin.git


 discard b7ba046  [SECURITY] Fix Partial Path Traversal Vulnerability
     new 2404708  [SECURITY] Fix Partial Path Traversal Vulnerability

This update added new revisions after undoing existing revisions.
That is to say, some revisions that were in the old version of the
branch are not in the new version.  This situation occurs
when a user --force pushes a change and generates a repository
containing something like this:

 * -- * -- B -- O -- O -- O   (b7ba046)
            \
             N -- N -- N   refs/heads/BulkSecurityGeneratorProjectV2-fix/JLL/partial-path-traversal-vulnerability (2404708)

You should already have received notification emails for all of the O
revisions, and so the following emails describe only the N revisions
from the common base, B.

Any revisions marked "omit" are not gone; other references still
refer to them.  Any revisions marked "discard" are gone forever.

The 1 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 src/main/java/org/apache/maven/plugins/pmd/AbstractPmdReport.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

[maven-pmd-plugin] 01/01: [SECURITY] Fix Partial Path Traversal Vulnerability

Posted by kh...@apache.org.
This is an automated email from the ASF dual-hosted git repository.

khmarbaise pushed a commit to branch BulkSecurityGeneratorProjectV2-fix/JLL/partial-path-traversal-vulnerability
in repository https://gitbox.apache.org/repos/asf/maven-pmd-plugin.git

commit 24047088b2346a75efb1e1e9641bd75fcc549806
Author: Jonathan Leitschuh <Jo...@gmail.com>
AuthorDate: Fri Jul 29 13:38:12 2022 +0000

    [SECURITY] Fix Partial Path Traversal Vulnerability
    
    This fixes a partial path traversal vulnerability.
    
    Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.
    
    To demonstrate this vulnerability, consider `"/usr/outnot".startsWith("/usr/out")`.
    The check is bypassed although `/outnot` is not under the `/out` directory.
    It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
    For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
    however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.
    
    Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    Severity: Medium
    CVSSS: 6.1
    Detection: CodeQL & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.PartialPathTraversalVulnerability)
    
    Reported-by: Jonathan Leitschuh <Jo...@gmail.com>
    Signed-off-by: Jonathan Leitschuh <Jo...@gmail.com>
    
    Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/13
    
    Co-authored-by: Moderne <te...@moderne.io>
    Signed-off-by: Karl Heinz Marbaise <kh...@apache.org>
---
 src/main/java/org/apache/maven/plugins/pmd/AbstractPmdReport.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/apache/maven/plugins/pmd/AbstractPmdReport.java b/src/main/java/org/apache/maven/plugins/pmd/AbstractPmdReport.java
index 7bdd483..afdce98 100644
--- a/src/main/java/org/apache/maven/plugins/pmd/AbstractPmdReport.java
+++ b/src/main/java/org/apache/maven/plugins/pmd/AbstractPmdReport.java
@@ -491,7 +491,10 @@ public abstract class AbstractPmdReport
         {
             try
             {
-                if ( sourceDirectoryToCheck.getCanonicalPath().startsWith( excludeDir.getCanonicalPath() ) )
+                if ( sourceDirectoryToCheck
+                    .getCanonicalFile()
+                    .toPath()
+                    .startsWith( excludeDir.getCanonicalFile().toPath() ) )
                 {
                     getLog().debug( "Directory " + sourceDirectoryToCheck.getAbsolutePath()
                                         + " has been excluded as it matches excludeRoot "