Impact
An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains %2F (encoded /), such as /files/..%2Fsecrets.txt, bypassing Armeria's path validation logic.
Patches
Armeria 1.13.4 or above contains the hardened path validation logic that handles %2F properly.
Workarounds
This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g.
Server
.builder()
.serviceUnder(
"/files",
FileService
.of(...)
.decorate((delegate, ctx, req) -> {
String path = req.headers().path();
if (path.contains("%2f") || path.contains("%2F")) {
return HttpResponse.of(HttpStatus.BAD_REQUEST);
}
return delegate.serve(ctx, req);
})
)
.build()For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was originally reported by Abdallah Zaher (elcayser-0x0a).
Impact
An attacker can access an Armeria server's local file system beyond its restricted directory by sending an HTTP request whose path contains
%2F(encoded/), such as/files/..%2Fsecrets.txt, bypassing Armeria's path validation logic.Patches
Armeria 1.13.4 or above contains the hardened path validation logic that handles
%2Fproperly.Workarounds
This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g.
For more information
If you have any questions or comments about this advisory:
Credits
This vulnerability was originally reported by Abdallah Zaher (elcayser-0x0a).