Skip to content
This repository has been archived by the owner on May 17, 2024. It is now read-only.

fix: relative path traversal vulnerability allows loading of arbitrary files #181

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

hackersontwohouse
Copy link

Affected of this project lyft/mapper are vulnerable to Directory Traversal. TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers.

        raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }

CWE-22
CWE-23
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

…y files

Affected of this project `lyft/mapper` are vulnerable to Directory Traversal. `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. that allows file uploads and has a time zone selector that accepts arbitrary time zone identifiers.

```js
        raise InvalidTimezoneIdentifier, 'Invalid identifier' if identifier !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/
    assert_raises(InvalidTimezoneIdentifier) { Timezone.get('../Definitions/UTC') }
```
CWE-22
CWE-23
`CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H`
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants