-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability scanning shows unsanitized input, path traversal issue in zap #1390
Comments
Thanks for the report, @candita! I think this is a false positive. This is where that sink gets registered: Line 70 in 5acd569
(schemeFile is "file" here.) So when someone specified Line 71 in 5acd569
Which will dispatch on the The input to the line vulnerable line will not come from an HTTP external request. Is there something we can do to help address this false positive? |
I'm not well-versed in the exploitation of the vulnerability itself, but I think the vulnerability is more along the lines of gaining access to a file outside of the authorized hierarchy. The file path should be absolute, not relative, and not allowed to contain Does it currently prevent someone from doing |
I see. I assumed the vulnerability was concerned with untrusted input from HTTP requests feeding into the path, and being able to access the filesystem. No, the system doesn't currently prevent someone from explicitly doing
This should already require that paths be absolute. I'm surprised that this isn't already checked. |
More info here: https://cwe.mitre.org/data/definitions/23.html with some newer exploits. |
Hey @candita, we plan to update the implementation of zap.Open to ensure "file:" prefix paths arguments are absolute or else we'll throw an error since that's already documented. I should be able to put up a PR for this by Monday. |
Currently, zap.Open doesn't prevent someone from explicitly doing something like zap.Open("file://../../../secret"). zap.Open already documents that paths passed to it must be absolute. Add validation to error if zap.Open is called with a relative paths that could write files outside of intended file directory hierarchy. This change addresses https://cwe.mitre.org/data/definitions/23.html ref #1390
Currently, zap.Open doesn't prevent someone from explicitly doing something like zap.Open("file://../../../secret"). zap.Open already documents that paths passed to it must be absolute. Add validation to error if zap.Open is called with a relative paths that could write files outside of intended file directory hierarchy. This change addresses https://cwe.mitre.org/data/definitions/23.html ref #1390
Add validation to ensure file schema paths passed to zap.Open are absolute since this is already documented. Tests are also added to demonstrate that double dot segements within file schema URIs passed to zap.Open remaining within the specified file hierarchy. This change addresses https://cwe.mitre.org/data/definitions/23.html ref #1390
Add validation to ensure file schema paths passed to zap.Open are absolute since this is already documented. Tests are also added to demonstrate that double dot segements within file schema URIs passed to zap.Open remaining within the specified file hierarchy. This change addresses https://cwe.mitre.org/data/definitions/23.html ref #1390
Add validation to ensure file schema paths passed to zap.Open are absolute since this is already documented. Curently, file schema URIs with relative roots e.g. "file://../" are parsed to "" by url.Parse and lead to errors when opening a "" path. Additional validation makes this problem easier to correct. Tests are also added to demonstrate that double dot segements within file schema URIs passed to zap.Open remaining within the specified file hierarchy. This change addresses https://cwe.mitre.org/data/definitions/23.html ref #1390 This PR succeeds #1397
@candita After some discussion in #1398, we still think that this is a false positive. The relevant function supports relative paths ( https://cwe.mitre.org/data/definitions/23.html seems concerned with relative path traversals. I couldn't find information about how an absolute path could be exploited there. |
Describe the bug
Snyk code vulnerability scanner was run on vendored uber-go code and found an issue:
This is an old line number reference, but the issue is still visible in the repo head, at https://github.com/uber-go/zap/blob/master/sink.go#L158C33-L158C33.
To Reproduce
Run any scanner that picks up Path Traversal or CWE vulnerabilities. CWE-23 will appear and reference https://github.com/uber-go/zap/blob/master/sink.go#L158C33-L158C33.
Expected behavior
No vulnerabilities seen.
Additional context
CWE-23 is in the top 25 Common Weaknesses. Zap "... uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory."
Thanks for your attention.
The text was updated successfully, but these errors were encountered: