Title: [Java]: CWE-073 - File path injection with the JFinal framework · Issue #527 · github/securitylab · GitHub
Open Graph Title: [Java]: CWE-073 - File path injection with the JFinal framework · Issue #527 · github/securitylab
X Title: [Java]: CWE-073 - File path injection with the JFinal framework · Issue #527 · github/securitylab
Description: Query PR github/codeql#7712 Language Java CVE(s) ID list CVE-2021-44093 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get...
Open Graph Description: Query PR github/codeql#7712 Language Java CVE(s) ID list CVE-2021-44093 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the or...
X Description: Query PR github/codeql#7712 Language Java CVE(s) ID list CVE-2021-44093 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the or...
Opengraph URL: https://github.com/github/securitylab/issues/527
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"[Java]: CWE-073 - File path injection with the JFinal framework","articleBody":"### Query PR\n\nhttps://github.com/github/codeql/pull/7712\n\n### Language\n\nJava\n\n### CVE(s) ID list\n\n[CVE-2021-44093](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44093)\r\n+ A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the original limit, upload the JSP file to get a WebShell\r\n\r\n[CVE-2021-40639](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40639)\r\n+ Improper access control in Jfinal CMS 5.1.0 allows attackers to access sensitive information via /classes/conf/db.properties\u0026config=filemanager.config.js\n\n### CWE\n\nCWE-073: External Control of File Name or Path\n\n### Report\n\nExternal Control of File Name or Path, also called File Path Injection, is a common attack and injection attack is listed as one of the top attacks in OWASP Top Ten 2021.\r\n\r\nLoading files based on unvalidated user-input may cause file information disclosure and uploading files with unvalidated file types to an arbitrary directory may lead to Remote Command Execution (RCE).\r\n\r\n\u003ccode\u003e[JFinal](https://github.com/jfinal/jfinal)\u003c/code\u003e is a widely used Web + ORM framework, which has 1.4K forks and 3.2k stars on GitHub. More introduction can be found at \u003ccode\u003e[JFinal Tutorial](https://github.com/jfinal/jfinal-manual)\u003c/code\u003e. Multiple CWEs have been submitted for File Path Injection attack associated with this framework.\r\n\r\nThis query detects unsafe file loading/downloading operations in code repositories that consume this framework. It models \u003ccode\u003eJFinal\u003c/code\u003e input methods as remote flow source using the source model CSV format. It creates a separate \u003ccode\u003ePathSanitizer\u003c/code\u003e library so that the library can be promoted as a shared lib that can be used by other queries as well. It reduces FPs by pruning the sink and testing with both real projects on GitHub and test cases customized for this query. \r\n\n\n### Are you planning to discuss this vulnerability submission publicly? (Blog Post, social networks, etc).\n\n- [X] Yes\n- [ ] No\n\n### Blog post link\n\n_No response_","author":{"url":"https://github.com/luchua-bc","@type":"Person","name":"luchua-bc"},"datePublished":"2022-01-23T18:47:04.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":10},"url":"https://github.com/527/securitylab/issues/527"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:e9dfe46e-696d-011c-3240-87e9663162d3 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D68E:4908F:26FFE2:349C2D:6A4D1E8A |
| html-safe-nonce | 225c627d3eeedee60fc02471e1e209f5878e92e7a8bf1c06e7d231e70095c4dc |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJENjhFOjQ5MDhGOjI2RkZFMjozNDlDMkQ6NkE0RDFFOEEiLCJ2aXNpdG9yX2lkIjoiMjY3MzMzMTk1MzQyMDAxNzI5MCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | 32be39e5749ef18022a03c90e0ce804696b337f612a15aae5530e9ee12d08216 |
| hovercard-subject-tag | issue:1111953427 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/github/securitylab/527/issue_layout |
| twitter:image | https://opengraph.githubassets.com/9df76597dea020c6067b962b36366ff8a07bae115ff8061e95d652f6b528d259/github/securitylab/issues/527 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/9df76597dea020c6067b962b36366ff8a07bae115ff8061e95d652f6b528d259/github/securitylab/issues/527 |
| og:image:alt | Query PR github/codeql#7712 Language Java CVE(s) ID list CVE-2021-44093 A Remote Command Execution vulnerability on the background in zrlog 2.2.2, at the upload avatar function, could bypass the or... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | luchua-bc |
| hostname | github.com |
| expected-hostname | github.com |
| None | 92571a8944142227b7e19cd10918b1ddd06e5066c1ad5bc7e4769cf6140a87e6 |
| turbo-cache-control | no-preview |
| go-import | github.com/github/securitylab git https://github.com/github/securitylab.git |
| octolytics-dimension-user_id | 9919 |
| octolytics-dimension-user_login | github |
| octolytics-dimension-repository_id | 221101274 |
| octolytics-dimension-repository_nwo | github/securitylab |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | false |
| octolytics-dimension-repository_network_root_id | 221101274 |
| octolytics-dimension-repository_network_root_nwo | github/securitylab |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | 93f17a978ee60bc4668e1d7b90e6bd2d622261fd |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width