Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[PDI-17941] Data Validator - Read allowed Values from another step - Lose values #9670

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

smmribeiro
Copy link
Contributor

@pentaho/tatooine_dev

@smmribeiro smmribeiro requested a review from a team as a code owner October 22, 2024 14:44
@buildguy
Copy link
Collaborator

🚨 Frogbot scanned this pull request and found the below:


@buildguy
Copy link
Collaborator

zipFilename

at ui/src/main/java/org/pentaho/di/ui/i18n/editor/Translator2.java (line 869)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
Untrusted stored value used in file paths, allowing access to unintended files
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
+         Path normDocPath = docPath.normalize();
+         // Make sure the canonical path resides in the desired dir
+         if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
+         }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getProperty( "file.separator" ) (at ui/src/main/java/org/pentaho/di/ui/i18n/editor/Translator2.java line 866)

↘️ dialog.getFilterPath() + System.getProperty( "file.separator" ) (at ui/src/main/java/org/pentaho/di/ui/i18n/editor/Translator2.java line 866)

↘️ dialog.getFilterPath() + System.getProperty( "file.separator" ) + dialog.getFileName() (at ui/src/main/java/org/pentaho/di/ui/i18n/editor/Translator2.java line 866)

↘️ zipFilename (at ui/src/main/java/org/pentaho/di/ui/i18n/editor/Translator2.java line 865)

↘️ zipFilename (at ui/src/main/java/org/pentaho/di/ui/i18n/editor/Translator2.java line 869)


@buildguy
Copy link
Collaborator

SYSTEM_FOLDER

at plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepository.java (line 1483)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
Untrusted stored value used in file paths, allowing access to unintended files
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
+         Path normDocPath = docPath.normalize();
+         // Make sure the canonical path resides in the desired dir
+         if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
+         }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getProperty( "file.separator" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 165)

↘️ FILE_SEPARATOR (at core/src/main/java/org/pentaho/di/core/Const.java line 165)

↘️ FILE_SEPARATOR (at core/src/main/java/org/pentaho/di/core/Const.java line 3687)

↘️ dir + FILE_SEPARATOR (at core/src/main/java/org/pentaho/di/core/Const.java line 3687)

↘️ dir + FILE_SEPARATOR + file (at core/src/main/java/org/pentaho/di/core/Const.java line 3687)

↘️ return dir + FILE_SEPARATOR + file; (at core/src/main/java/org/pentaho/di/core/Const.java line 3687)

↘️ Const .safeAppendDirectory( BasePropertyHandler.getProperty( "systemDirBase", "system/" ), "" ) (at plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepository.java line 170)

↘️ SYSTEM_FOLDER (at plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepository.java line 170)

↘️ SYSTEM_FOLDER (at plugins/pur/core/src/main/java/org/pentaho/di/repository/pur/PurRepository.java line 1483)


@buildguy
Copy link
Collaborator

filePath

at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java (line 270)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
Untrusted stored value used in file paths, allowing access to unintended files
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
+         Path normDocPath = docPath.normalize();
+         // Make sure the canonical path resides in the desired dir
+         if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
+         }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getenv( "KETTLE_HOME" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ String source (at core/src/main/java/org/pentaho/di/core/Const.java line 2740)

↘️ source (at core/src/main/java/org/pentaho/di/core/Const.java line 2744)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ return NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ); (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ Const.getUserHomeDirectory() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ !StringUtils.isEmpty( Const.getUserHomeDirectory() ) ? Const.getUserHomeDirectory() : new File( "." ).getAbsolutePath() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() + ".zip" (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 246)

↘️ String filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 262)

↘️ filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 270)

Vulnerable data flow analysis result

↘️ System.getenv( "KETTLE_HOME" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ T source (at core/src/main/java/org/pentaho/di/core/Const.java line 2756)

↘️ source (at core/src/main/java/org/pentaho/di/core/Const.java line 2760)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ return NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ); (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ Const.getUserHomeDirectory() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ !StringUtils.isEmpty( Const.getUserHomeDirectory() ) ? Const.getUserHomeDirectory() : new File( "." ).getAbsolutePath() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() + ".zip" (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 246)

↘️ String filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 262)

↘️ filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 270)

Vulnerable data flow analysis result

↘️ System.getProperty( "KETTLE_HOME" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ String source (at core/src/main/java/org/pentaho/di/core/Const.java line 2740)

↘️ source (at core/src/main/java/org/pentaho/di/core/Const.java line 2744)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ String def (at core/src/main/java/org/pentaho/di/core/Const.java line 2740)

↘️ def (at core/src/main/java/org/pentaho/di/core/Const.java line 2742)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ return NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ); (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ Const.getUserHomeDirectory() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ !StringUtils.isEmpty( Const.getUserHomeDirectory() ) ? Const.getUserHomeDirectory() : new File( "." ).getAbsolutePath() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() + ".zip" (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 246)

↘️ String filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 262)

↘️ filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 270)

Vulnerable data flow analysis result

↘️ System.getProperty( "KETTLE_HOME" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ String source (at core/src/main/java/org/pentaho/di/core/Const.java line 2740)

↘️ source (at core/src/main/java/org/pentaho/di/core/Const.java line 2744)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ T def (at core/src/main/java/org/pentaho/di/core/Const.java line 2756)

↘️ def (at core/src/main/java/org/pentaho/di/core/Const.java line 2758)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ return NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ); (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ Const.getUserHomeDirectory() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ !StringUtils.isEmpty( Const.getUserHomeDirectory() ) ? Const.getUserHomeDirectory() : new File( "." ).getAbsolutePath() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() + ".zip" (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 246)

↘️ String filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 262)

↘️ filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 270)

Vulnerable data flow analysis result

↘️ System.getProperty( "KETTLE_HOME" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ T source (at core/src/main/java/org/pentaho/di/core/Const.java line 2756)

↘️ source (at core/src/main/java/org/pentaho/di/core/Const.java line 2760)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ String def (at core/src/main/java/org/pentaho/di/core/Const.java line 2740)

↘️ def (at core/src/main/java/org/pentaho/di/core/Const.java line 2742)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ return NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ); (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ Const.getUserHomeDirectory() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ !StringUtils.isEmpty( Const.getUserHomeDirectory() ) ? Const.getUserHomeDirectory() : new File( "." ).getAbsolutePath() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() + ".zip" (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 246)

↘️ String filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 262)

↘️ filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 270)

Vulnerable data flow analysis result

↘️ System.getProperty( "KETTLE_HOME" ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ T source (at core/src/main/java/org/pentaho/di/core/Const.java line 2756)

↘️ source (at core/src/main/java/org/pentaho/di/core/Const.java line 2760)

↘️ NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ T def (at core/src/main/java/org/pentaho/di/core/Const.java line 2756)

↘️ def (at core/src/main/java/org/pentaho/di/core/Const.java line 2758)

↘️ NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ) (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ return NVL( System.getenv( "KETTLE_HOME" ), NVL( System.getProperty( "KETTLE_HOME" ), System.getProperty( "user.home" ) ) ); (at core/src/main/java/org/pentaho/di/core/Const.java line 2499)

↘️ Const.getUserHomeDirectory() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ !StringUtils.isEmpty( Const.getUserHomeDirectory() ) ? Const.getUserHomeDirectory() : new File( "." ).getAbsolutePath() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 244)

↘️ basePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ basePath + File.separator + java.util.UUID.randomUUID().toString() + ".zip" (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 245)

↘️ zipFilePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 246)

↘️ String filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 262)

↘️ filePath (at engine/src/main/java/org/pentaho/di/base/AbstractBaseCommandExecutor.java line 270)


@buildguy
Copy link
Collaborator

new File( System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR + data.ZipFilename )

at plugins/mail/impl/src/main/java/org/pentaho/di/trans/steps/mail/Mail.java (line 831)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
Untrusted stored value used in file paths, allowing access to unintended files
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
+         Path normDocPath = docPath.normalize();
+         // Make sure the canonical path resides in the desired dir
+         if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
+         }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getProperty( "java.io.tmpdir" ) (at plugins/mail/impl/src/main/java/org/pentaho/di/trans/steps/mail/Mail.java line 831)

↘️ System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR (at plugins/mail/impl/src/main/java/org/pentaho/di/trans/steps/mail/Mail.java line 831)

↘️ System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR + data.ZipFilename (at plugins/mail/impl/src/main/java/org/pentaho/di/trans/steps/mail/Mail.java line 831)

↘️ new File( System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR + data.ZipFilename ) (at plugins/mail/impl/src/main/java/org/pentaho/di/trans/steps/mail/Mail.java line 831)


@buildguy
Copy link
Collaborator

new File( System.getProperty( "java.io.tmpdir" )
                + Const.FILE_SEPARATOR + environmentSubstitute( zipFilename ) )

at plugins/mail-job/impl/src/main/java/org/pentaho/di/job/entries/mail/JobEntryMail.java (line 1043)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
Untrusted stored value used in file paths, allowing access to unintended files
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
+         Path normDocPath = docPath.normalize();
+         // Make sure the canonical path resides in the desired dir
+         if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
+         }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getProperty( "java.io.tmpdir" ) (at plugins/mail-job/impl/src/main/java/org/pentaho/di/job/entries/mail/JobEntryMail.java line 1043)

↘️ System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR (at plugins/mail-job/impl/src/main/java/org/pentaho/di/job/entries/mail/JobEntryMail.java line 1043)

↘️ System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR + environmentSubstitute( zipFilename ) (at plugins/mail-job/impl/src/main/java/org/pentaho/di/job/entries/mail/JobEntryMail.java line 1043)

↘️ new File( System.getProperty( "java.io.tmpdir" ) + Const.FILE_SEPARATOR + environmentSubstitute( zipFilename ) ) (at plugins/mail-job/impl/src/main/java/org/pentaho/di/job/entries/mail/JobEntryMail.java line 1043)


@buildguy
Copy link
Collaborator

dbDir

at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java (line 186)

🎯 Static Application Security Testing (SAST) Vulnerability

Severity Finding

Low
Untrusted stored value used in file paths, allowing access to unintended files
Full description

Overview

Path traversal, also known as directory traversal, is a type of
vulnerability that allows an attacker to access files or directories on a
computer or device that are outside of the intended directory.
Allowing arbitrary read access can allow the attacker to read sensitive
files, such as configuration files or sensitive data, potentially leading
data loss or even system compromise. Allowing arbitrary write access is
more severe and in most cases leads to arbitrary code execution, via
editing important system files or sensitive data.

Vulnerable example

public class path_traversaLvuln {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
        File docFile = docPath.toFile();
        FileUtils.copyFile(docFile, response.getOutputStream());
    }
}

In this example, an attacker can, via a stored parameter, inject a back-path,
that will get anywhere in the system, using "../../".

Remediation

public class path_traversal_safe {
    protected void doGet(HttpServletRequest request, HttpServletResponse response)
            throws ServletException, IOException {
        String DOCS_FOLDER = "/srv/www/docs";
        String docName = statement.executeQuery(query);  // Reading from DB
        Path docPath = Paths.get(DOCS_FOLDER, docName);
+         Path normDocPath = docPath.normalize();
+         // Make sure the canonical path resides in the desired dir
+         if (normDocPath.startsWith(DOCS_FOLDER)) {
            File docFile = docPath.toFile();
            FileUtils.copyFile(docFile, response.getOutputStream());
+         }
    }
}

By checking that the folder name still starts with the predefined prefix, we
make sure that the attacker is not able to back-path outside of the allowed
folder.

Code Flows
Vulnerable data flow analysis result

↘️ System.getProperty( "java.io.tmpdir" ) (at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java line 136)

↘️ System.getProperty( "java.io.tmpdir" ) + "/" (at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java line 136)

↘️ System.getProperty( "java.io.tmpdir" ) + "/" + UUID.randomUUID().toString() (at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java line 136)

↘️ System.getProperty( "java.io.tmpdir" ) + "/" + UUID.randomUUID().toString() + "-slaveSeqTest-H2-DB" (at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java line 136)

↘️ dbDir (at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java line 135)

↘️ dbDir (at integration/src/it/java/org/pentaho/di/cluster/SlaveSequenceIT.java line 186)


@buildguy
Copy link
Collaborator

❌ Build failed in 3h 10m 55s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl ui

👌 All tests passed!

Tests run: 357, Failures: 0, Skipped: 0    Test Results


ℹ️ This is an automatic message

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants