Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FISH-6775 Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module (Payara6) #6080

Merged
merged 3 commits into from
Nov 28, 2022
Merged

FISH-6775 Authorization Constraints Ignored When Using Path Traversal Penetration Using Default Virtual Module (Payara6) #6080

merged 3 commits into from
Nov 28, 2022

Conversation

Pandrex247
Copy link
Member

Description

Security fix.

It was possible to circumvent JACC authentication using a ./ traversal, since the request normalisation which normally stops these attacks actually happens after the JACC check has occurred. So while the path is normalised as expected, the actual JACC check has already occurred and passed when it would fail against the normalised path.

This PR reactivates the old normalisation in the CoyoteAdapater which was commented out many many moons ago without explanation when integrating Grizzly with the forked Tomcat in the days of GlassFish 2 & 3.

What happens now is that if a request which would fail its normalisation checks occur, a HTTP 400 request is returned. This is, from a quick scan of their code, in line with how Tomcat / Catalina functions today.
The criteria for failing normalisation are:

  • Request not starting with a "/"
  • Request with backslashes in (if a property is not enabled: org.glassfish.grizzly.tcp.tomcat5.CoyoteAdapter.ALLOW_BACKSLASH)
  • Request with null bytes in
  • Requests which try to escape the context

Important Info

Blockers

None

Testing

New tests

None

Testing Performed

  • Ran the reproducer for FISH-6775
  • Ran the reproducer for FISH-6603

Testing Environment

WSL, JDK 11

Documentation

None - no CVE

Notes for Reviewers

None

Pandrex247 and others added 3 commits November 28, 2022 11:27
@Pandrex247
FISH-6775 Reactivate old CoyoteAdapter normalisation
3088ef0 
Signed-off-by: Andrew Pielage <pandrex247@hotmail.com>
@Pandrex247
FISH-6775 Use exceptions
c36fe4e 
Signed-off-by: Andrew Pielage <andrew.pielage@payara.fish>
@Pandrex247
FISH-6775 Adjust javadoc
25ca1cf 
Signed-off-by: Andrew Pielage <andrew.pielage@payara.fish>
@Pandrex247
Copy link
Member Author

Jenkins test please

@pdudits
Copy link
Contributor

pdudits commented Nov 28, 2022

Please make clone of the issue in Catalina epic, so we would retest this with new stack as well.

@Pandrex247 Pandrex247 merged commit 6490d49 into payara:Payara6 Nov 28, 2022
@Pandrex247 Pandrex247 deleted the FISH-6775-P6 branch November 28, 2022 14:35
@Pandrex247 Pandrex247 mentioned this pull request Dec 2, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pdudits pdudits pdudits approved these changes

@aubi aubi Awaiting requested review from aubi

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Pandrex247 @pdudits