Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix bug: urldecode difference between python & java #157

Open
wants to merge 85 commits into
base: master
Choose a base branch
from

Conversation

asdfsx
Copy link

@asdfsx asdfsx commented Oct 18, 2022

flow load命令执行时,serving-server会到zookeeper中的/flow/online/transfer去查询模型地址。
fateflow 基于python实现,它写入到 zookeeper 中的地址为http%3A%2F%2F172.16.0.49%3A9380%2Fv1%2Fmodel%2Ftransfer%2Fguest~10000~guest-10000~host-20000~model%2F202210120948058502700,可以看到~保持原样。
而java在做urldecode时会将~转为%E7。这会导致原有的实现中,child.endsWith(encodeUri)永远匹配不到结果

#  child字符串:
http%3A%2F%2F172.16.0.49%3A9380%2Fv1%2Fmodel%2Ftransfer%2Fguest~10000~arbiter-10000~guest-10000~host-20000~model%2F202210180730196742980
# encodeUri字符串:
%2Fguest%7E10000%7Earbiter-10000%7Eguest-10000%7Ehost-20000%7Emodel%2F202210180730196742980

目前我的修改办法是:
对zookeeper中读取到的内容直接decode,然后和拼接好的uri进行比较。缺点就是可能会做多次的decode操作。

GentleWang1011 and others added 28 commits December 28, 2021 17:52
Upgrade SpringBoot dependent version
…-v2.1.5

Feat: add docker build for v2.1.5
Signed-off-by: kaideng <[email protected]>
Signed-off-by: kaideng <[email protected]>
Signed-off-by: kaideng <[email protected]>
This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <[email protected]>
Signed-off-by: Jonathan Leitschuh <[email protected]>

Bug-tracker: JLLeitschuh/security-research#16

Co-authored-by: Moderne <[email protected]>
…2/fix/JLL/zip-slip-vulnerability

[SECURITY] Fix Zip Slip Vulnerability
Signed-off-by: Chenlong Ma <[email protected]>
(cherry picked from commit 68cb212)
Signed-off-by: Chenlong Ma <[email protected]>
`~` translate to `%E7` in java, but doesn't translate in python

Signed-off-by: Sun Xia <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants