Skip to content

[Java]: CWE-073 - File path injection with the JFinal framework #527

Description

@luchua-bc

Query PR

github/codeql#7712

Language

Java

CVE(s) ID list

CVE-2021-44093

  • A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell

CVE-2021-40639

  • Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties&config=filemanager.config.js

CWE

CWE-073: External Control of File Name or Path

Report

External Control of File Name or Path, also called File Path Injection, is a common attack and injection attack is listed as one of the top attacks in OWASP Top Ten 2021.

Loading files based on unvalidated user-input may cause file information disclosure and uploading files with unvalidated file types to an arbitrary directory may lead to Remote Command Execution (RCE).

JFinal is a widely used Web + ORM framework, which has 1.4K forks and 3.2k stars on GitHub. More introduction can be found at JFinal Tutorial. Multiple CWEs have been submitted for File Path Injection attack associated with this framework.

This query detects unsafe file loading/downloading operations in code repositories that consume this framework. It models JFinal input methods as remote flow source using the source model CSV format. It creates a separate PathSanitizer library so that the library can be promoted as a shared lib that can be used by other queries as well. It reduces FPs by pruning the sink and testing with both real projects on GitHub and test cases customized for this query.

Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).

  • Yes
  • No

Blog post link

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    All For OneSubmissions to the All for One, One for All bounty

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions