Query PR
github/codeql#7712
Language
Java
CVE(s) ID list
CVE-2021-44093
- A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell
CVE-2021-40639
- Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js
CWE
CWE-073: External Control of File Name or Path
Report
External Control of File Name or Path, also called File Path Injection, is a common attack and injection attack is listed as one of the top attacks in OWASP Top Ten 2021.
Loading files based on unvalidated user-input may cause file information disclosure and uploading files with unvalidated file types to an arbitrary directory may lead to Remote Command Execution (RCE).
JFinal is a widely used Web + ORM framework, which has 1.4K forks and 3.2k stars on GitHub. More introduction can be found at JFinal Tutorial. Multiple CWEs have been submitted for File Path Injection attack associated with this framework.
This query detects unsafe file loading/downloading operations in code repositories that consume this framework. It models JFinal input methods as remote flow source using the source model CSV format. It creates a separate PathSanitizer library so that the library can be promoted as a shared lib that can be used by other queries as well. It reduces FPs by pruning the sink and testing with both real projects on GitHub and test cases customized for this query.
Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response
Query PR
github/codeql#7712
Language
Java
CVE(s) ID list
CVE-2021-44093
CVE-2021-40639
CWE
CWE-073: External Control of File Name or Path
Report
External Control of File Name or Path, also called File Path Injection, is a common attack and injection attack is listed as one of the top attacks in OWASP Top Ten 2021.
Loading files based on unvalidated user-input may cause file information disclosure and uploading files with unvalidated file types to an arbitrary directory may lead to Remote Command Execution (RCE).
JFinalis a widely used Web + ORM framework, which has 1.4K forks and 3.2k stars on GitHub. More introduction can be found atJFinal Tutorial. Multiple CWEs have been submitted for File Path Injection attack associated with this framework.This query detects unsafe file loading/downloading operations in code repositories that consume this framework. It models
JFinalinput methods as remote flow source using the source model CSV format. It creates a separatePathSanitizerlibrary so that the library can be promoted as a shared lib that can be used by other queries as well. It reduces FPs by pruning the sink and testing with both real projects on GitHub and test cases customized for this query.Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).
Blog post link
No response