CVE-2022-26068: fix(swagger/security): ensure that the requested file is in the UI directory by Tachi107 · Pull Request #1065 · pistacheio/pistache

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(swagger/security): ensure that the requested file is in the UI directory #1065

Conversation 1 Commits 1 Checks 8 Files changed

Conversation

The Rest::Swagger class didn’t check if the file asked from the user was contained in the UI directory, thus allowing users to access arbitrary files in the filesystem.

Thanks to Kirill Efimov (@Kirill89) and the Snyk Security team (@snyk) for finding and reporting the vulnerability to the Pistache team.

Closes #1064

…rectory

The Rest::Swagger class didn’t check if the file asked from the user was contained in the UI directory, thus allowing users to access arbitrary files in the filesystem.

Thanks to Kirill Efimov (@Kirill89) and the Snyk Security team for finding and reporting the vulnerability to the Pistache team.

abidiff reports a potential ABI change, but that’s probably related to the inclusion of <filesystem>. It exited with status 4, that according to the manual maps to ABIDIFF_ABI_CHANGE, meaning that the ABI changed but non necessarily in a breaking manner. As all the changes have been applied to internal code, I believe that this failure can be ignored.

Edit: they seem template instantiations

2 participants