Path traversal vulnerability in changesets API exploitable by logged in users

Issue #319 resolved
Mika Myllynen
created an issue

The branch parameter of the changesets API has a path traversal vulnerability where a valid operating system path (such as /etc/passwd) can be given and the file will be included in the Java stack trace if stack traces are in use.

Steps to reproduce:

  1. Log in to SCM webapp
  2. Point browser to url: <webapp-domain:port>/scm-webapp/api/rest/repositories/7cfa203b-4e4b-43ea-8ada-c4d06dee94f9/changesets.json?_dc=1358775592031&start=0&limit=20&branch=../../../../../../../../../../../../../../../../etc/passwd
  3. Contents of /etc/passwd are revealed in the middle of the stacktrace

The risk can be reduced by disabling stacktraces, this is just a medication and not a cure of course.

Comments (5)

  1. Mika Myllynen reporter

    Took me a while to get back to this but I can confirm that with this fix the contents of the file is not visible in the stack trace any more.

    java.lang.IllegalArgumentException: refs/heads/../../../../../../../../../../../../../../../../etc/passwd is an invalid branch name

    is shown instead.

  2. Log in to comment