Openrefine: Directory traversal (unsafe unzip) vulnerability

Created on 20 Nov 2018  路  8Comments  路  Source: OpenRefine/OpenRefine

Describe the bug

It is possible to create files outside the temporary folder by importing a zip file containing files with relative paths. This can be used to create scripts and configurations at locations where they can be picked up by applications, other scripts or executed during start up.

Additional information https://snyk.io/research/zip-slip-vulnerability

To Reproduce
Video (zipped video because GH extension restrictions) openrefine_zip_dir_traversal.zip

Steps to reproduce the behavior:

Create payload and start server on Linux

cd /tmp/
touch "dangerousscript.sh"
zip legitdata.zip "../../../../../../../../tmp/dangerousscript.sh"
python -m http.server 8000

Steps on openrefine

  1. Start openrefine ($ ./refine)
  2. Click on "Create Project"
  3. Click on "Web Addresses (URLs)" (also possible through uploading a local zip file)
  4. Insert a malicious URL, eg. http://lookslegit.com/cooldata/legitdata.zip
  5. If the file does not exist, the malicious file is silently created
    If the file does exist, openrefine shows a stack trace (see below) on terminal

Current Results

No error nor warning.

Expected behavior

Warn the user about dangerous content in the zip and prevent the creation of the file.

Video

The video is inside a zip file because github filexetension restrictions.

Desktop (please complete the following information):

  • OS: Linux (Arch, Debian)
  • Browser Version: Not important
  • JRE or JDK Version:
openjdk version "1.8.0_171"
OpenJDK Runtime Environment (build 1.8.0_171-8u171-b11-2-b11)
OpenJDK 64-Bit Server VM (build 25.171-b11, mixed mode)

And

openjdk version "1.8.0_192"
OpenJDK Runtime Environment (build 1.8.0_192-b26)
OpenJDK 64-Bit Server VM (build 25.192-b26, mixed mode)

OpenRefine (please complete the following information):

  • Version 3.0 [TRUNK] and 3.1-beta [TRUNK] (maybe also previous versions)

Stack trace

java.io.FileNotFoundException: /tmp/Jetty_127_0_0_1_3333_webapp____4ulpc9/import/2/raw-data/-2../../../../../../../../tmp/dangerousscript.sh (No such file or directory)
    at java.io.FileOutputStream.open0(Native Method)
    at java.io.FileOutputStream.open(FileOutputStream.java:270)
    at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
    at java.io.FileOutputStream.<init>(FileOutputStream.java:162)
    at com.google.refine.importing.ImportingUtilities.saveStreamToFile(ImportingUtilities.java:591)
    at com.google.refine.importing.ImportingUtilities.explodeArchive(ImportingUtilities.java:749)
    at com.google.refine.importing.ImportingUtilities.postProcessRetrievedFile(ImportingUtilities.java:619)
    at com.google.refine.importing.ImportingUtilities.saveStream(ImportingUtilities.java:512)
    at com.google.refine.importing.ImportingUtilities.download(ImportingUtilities.java:441)
    at com.google.refine.importing.ImportingUtilities.download(ImportingUtilities.java:372)
    at com.google.refine.importing.ImportingUtilities.retrieveContentFromPostRequest(ImportingUtilities.java:285)
    at com.google.refine.importing.ImportingUtilities.loadDataAndPrepareJob(ImportingUtilities.java:141)
    at com.google.refine.importing.DefaultImportingController.doLoadRawData(DefaultImportingController.java:119)
    at com.google.refine.importing.DefaultImportingController.doPost(DefaultImportingController.java:87)
    at com.google.refine.commands.importing.ImportingControllerCommand.doPost(ImportingControllerCommand.java:62)
    at com.google.refine.RefineServlet.service(RefineServlet.java:178)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
    at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
    at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
    at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
    at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
    at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
    at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
    at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
    at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
    at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
    at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
    at org.mortbay.jetty.Server.handle(Server.java:326)
    at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:542)
    at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:938)
    at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
    at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
    at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404)
    at org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:748)
vulnerability
Source
picture itsacoderepo

Most helpful comment

I've submitted a request to the CVE database for CVE-2018-19859 to reflect this earlier fix to the vulnerability

picture ostephens on 4 Mar 2019
1 👍1

All 8 comments

Thanks for the report!

wetneb picture wetneb on 20 Nov 2018

@itsacoderepo Do you recommend a fix such as what Sonarqube did ? https://github.com/SonarSource/sonarqube/commit/08438a2c47112f2fce1e512f6c843c908abed4c7#diff-6d8def68a00bf88a105528765f02fb95

or another method / library ?

thadguidry picture thadguidry on 28 Nov 2018

It is also reported under CVE-2018-19859

magdmartin picture magdmartin on 6 Dec 2018

Is the CVE-2018-19859 vulnerability fixed in the 3.2-beta? The history above and the bug fix summary for 3.2-beta seems to indicate it has - but you indicate above that you've allocated some work to 3.5. As a result the CVE record (https://nvd.nist.gov/vuln/detail/CVE-2018-19859) indicates that it won't be fixed until 3.5. My work won't let me use the software until the NIST vulnerabilities are fixed
thanks

mdbaehre picture mdbaehre on 1 Mar 2019

@mdbaehre Yes this was fixed in 3.2-beta.

wetneb picture wetneb on 2 Mar 2019

I've submitted a request to the CVE database for CVE-2018-19859 to reflect this earlier fix to the vulnerability

ostephens picture ostephens on 4 Mar 2019
1 👍1

CVE database now updated to indicate that this has been fixed in 3.2-beta http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19859

ostephens picture ostephens on 28 Mar 2019
🎉1

Fantastic, thanks a lot Owen!

wetneb picture wetneb on 28 Mar 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

antoine2711 picture antoine2711  路  3Comments
ralcazar-oeg picture ralcazar-oeg  路  3Comments
davidegiunchidiennea picture davidegiunchidiennea  路  3Comments
tfmorris picture tfmorris  路  3Comments
dantexier picture dantexier  路  4Comments