FISH-6775 Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module (Payara6) #6080
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Security fix.
It was possible to circumvent JACC authentication using a
./
traversal, since the request normalisation which normally stops these attacks actually happens after the JACC check has occurred. So while the path is normalised as expected, the actual JACC check has already occurred and passed when it would fail against the normalised path.This PR reactivates the old normalisation in the CoyoteAdapater which was commented out many many moons ago without explanation when integrating Grizzly with the forked Tomcat in the days of GlassFish 2 & 3.
What happens now is that if a request which would fail its normalisation checks occur, a HTTP 400 request is returned. This is, from a quick scan of their code, in line with how Tomcat / Catalina functions today.
The criteria for failing normalisation are:
org.glassfish.grizzly.tcp.tomcat5.CoyoteAdapter.ALLOW_BACKSLASH
)Important Info
Blockers
None
Testing
New tests
None
Testing Performed
Testing Environment
WSL, JDK 11
Documentation
None - no CVE
Notes for Reviewers
None