CVE-2023-29986: Issue about Partial Path Traversal · Issue #33 · lukashinsch/spring-boot-actuator-logview

The patch file for CVE-2021-21234 still has a vulnerability, which is a partial path traversal vulnerability.
In commit 1c76e1e, the securityCheck function use canonicalLoggingPath.startsWith(baseCanonicalPath) to check for path traversal vulnerabilities. But it still allows a malicious actor to potentially break out of the expected directory. The impact is limited to sibling directories. For example, userControlled.getCanonicalPath().startsWith(“/usr/out”) will allow an attacker to access a directory with a name like /usr/outnot.

Comparing paths with the java.nio.files.Path#startsWith will adequately protect againts this vulnerability.

For example: file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY) or file.getCanonicalFile().toPath().startsWith(BASE_DIRECTORY_FILE.getCanonicalFile().toPath())