ring-defaults icon indicating copy to clipboard operation
ring-defaults copied to clipboard
verified publisher icon ring-clojure

Security vulnerability in dependent library - commons-io

Open eydevelopment opened this issue 4 years ago • 1 comments

White source utility flagged following issue in commons-io, which is a library used in ring-core:

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Suggested fix by the utility: Upgrade to version commons-io:commons-io:2.7 or Replace or update the following files: FilenameUtilsTestCase.java, FilenameUtils.java

eydevelopment avatar Jun 29 '21 18:06 eydevelopment

If this is an issue in Ring core, can you move this issue to that repository?

I don't believe this will affect Ring core, as the normalize method isn't used, nor do I believe it would be used in any derived function. However, it's better to be safe than sorry, so I'll update the dependency.

weavejester avatar Jun 30 '21 00:06 weavejester