axis-java-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andreas Veithen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (AXIS2-5882) Path Manipulation in WSDL20ToAxisServiceBuilder and PreProcessorInputStream
Date Sun, 10 Sep 2017 20:20:00 GMT

    [ https://issues.apache.org/jira/browse/AXIS2-5882?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16160467#comment-16160467
] 

Andreas Veithen commented on AXIS2-5882:
----------------------------------------

AFAICS {{PreProcessorInputStream}} is used by the IDL processor to process {{#include}} statements.
This is a legitimate use of path manipulation. I don't see how this would satisfy any of the
two conditions you mentioned.

Please note that naive implementations of static code analyzers designed to detect security
issues will produce a lot of false positives like this. Please don't create bugs unless you
have confirmed that the reported "issues" are actual security problems.

> Path Manipulation in WSDL20ToAxisServiceBuilder and PreProcessorInputStream
> ---------------------------------------------------------------------------
>
>                 Key: AXIS2-5882
>                 URL: https://issues.apache.org/jira/browse/AXIS2-5882
>             Project: Axis2
>          Issue Type: Bug
>          Components: jaxws
>    Affects Versions: 1.7.6
>            Reporter: Donald Kwakkel
>            Priority: Critical
>              Labels: security
>
> Attackers can control the filesystem path argument to File() at PreProcessorInputStream.java
line 218, which allows them to access or modify otherwise protected files.
> Explanation:
> Path manipulation errors occur when the following two conditions are met:
> 1. An attacker can specify a path used in an operation on the filesystem.
> 2. By specifying the resource, the attacker gains a capability that would not otherwise
be permitted.
> For example, the program may give the attacker the ability to overwrite the specified
file or run with a configuration controlled by the attacker.
> In this case, the attacker can specify the value that enters the program at readLine()
in PreProcessorInputStream.java at line 86, and this value is used to access a filesystem
resource at File() in PreProcessorInputStream.java at line 218, 230, 232, 250, 253, 278.
> Possible solution: Make sure the absolute filename is validated against known/configured
valid base path.
> Also: 
> Attackers can control the filesystem path argument to File() at WSDL20ToAxisServiceBuilder.java
line 153, which allows them to access or modify otherwise protected files. In this case, the
attacker can specify the value that enters the program at getHeaderField() in CodeGenerationEngine.java
at line 101, and this value is used to access a filesystem resource at File() in WSDL20ToAxisServiceBuilder.java
at line 153 and 1281.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: java-dev-unsubscribe@axis.apache.org
For additional commands, e-mail: java-dev-help@axis.apache.org


Mime
View raw message