Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS04MmozLWhmNzItN3g5M84ABA9D

Reposilite vulnerable to path traversal while serving javadoc expanded files (arbitrary file read) (`GHSL-2024-074`)

Summary

Reposilite v3.5.10 is affected by an Arbitrary File Read vulnerability via path traversal while serving expanded javadoc files.

Details

The problem lies in the way how the expanded javadoc files are served. The GET /javadoc/{repository}/<gav>/raw/<resource> route uses the <resource> path parameter to find the file in the javadocUnpackPath directory and returns it's content to the user.

JavadocFacade.kt#L77:

fun findRawJavadocResource(request: JavadocRawRequest): Result<JavadocRawResponse, ErrorResponse> =
   with (request) {
       mavenFacade.canAccessResource(accessToken, repository, gav)
           .flatMap { javadocContainerService.loadContainer(accessToken, repository, gav) }
           .filter({ Files.exists(it.javadocUnpackPath.resolve(resource.toString())) }, { notFound("Resource $resource not found") })
           .map {
               JavadocRawResponse(
                   contentType = supportedExtensions[resource.getExtension()] ?: ContentType.APPLICATION_OCTET_STREAM,
                   content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toString()))
               )
           }
   }

In this case, the <resource> path parameter can contain path traversal characters such as /../../. Since the path is concatenated with the main directory, it opens the possibility to read files outside the javadocUnpackPath directory.

Impact

This issue may lead to Arbitrary File Read on the server. A potential attacker can read some sensitive file, such as reposilite.db, that contains the sqlite database used by Reposilite. This database contains the sensitive information used by Reposilite, including passwords and hashes of issued tokens. Also, the configuration.cdn file can be read, which contains other sensitive properties.

Steps to reproduce

  1. Start the Reposilite instance on http://localhost:8080/
  2. Find at least one javadoc file in the hosted repositories. For example, the default test workspace contains the /releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar archive that is suitable for our attack.
  3. Send a GET request to http://127.0.0.1:8080/javadoc/releases/javadoc/1.0.0/raw/%2e%2e%5c%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2freposilite.db
    When this request is processed on the server, Reposilite tries to unpack the /repositories/releases/javadoc/1.0.0/javadoc-1.0.0-javadoc.jar file into the /javadocs/releases/javadoc/1.0.0/.cache/unpack folder. Then, it tries to read the ../../../../../../reposilite.db file from this folder, which triggers the path traversal attack.

image

Remediation

Normalize (remove all occurrences of /../) the <resource> path parameter before using it when reading the file. For example:

content = Files.newInputStream(it.javadocUnpackPath.resolve(resource.toPath()))

Changing resource.toString() to resource.toPath() is enough here as the com.reposilite.storage.api.Location#toPath method normalizes the string internally.

Permalink: https://github.com/advisories/GHSA-82j3-hf72-7x93
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS04MmozLWhmNzItN3g5M84ABA9D
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 16 days ago
Updated: 16 days ago


CVSS Score: 8.2
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Identifiers: GHSA-82j3-hf72-7x93
References: Repository: https://github.com/dzikoysk/reposilite
Blast Radius: 1.0

Affected Packages

maven:com.reposilite:reposilite-backend
Affected Version Ranges: >= 3.3.0, < 3.5.12
Fixed in: 3.5.12