Adding Valve workaround for GHSA-95v2-fvxr-qg83#12
Conversation
… suggestion for metacat<3.5.0
There was a problem hiding this comment.
Pull request overview
This PR introduces a Tomcat Valve implementation intended as a temporary mitigation for GHSA-95v2-fvxr-qg83 by rejecting requests whose URI/query contain path-traversal-style patterns (including across multiple URL-decoding rounds) before forwarding to the webapp.
Changes:
- Add
TemporaryMitigationValve(TomcatValveBase) that inspects request targets and denies suspicious patterns with HTTP 400. - Implement multi-round URL decoding to catch double-encoded traversal attempts.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
… `null` when an illegal sequence is found
| private static final Pattern SUSPICIOUS = Pattern.compile( | ||
| "(?i)(\\.{2}|%2e|%2f|%5c|\\\\|/\\./|/\\.\\./|%252e|%252f|%255c)" | ||
| ); |
There was a problem hiding this comment.
Leaning towards erring on the stricter side unless others disagree
| private boolean isSuspicious(String input) { | ||
| String current = input; | ||
| for (int i = 0; i < MAX_DECODE_ROUNDS; i++) { | ||
| if (SUSPICIOUS.matcher(current).find()) { | ||
| return true; | ||
| } | ||
| String decoded = decodeOnce(current); | ||
| if (decoded == null) { | ||
| return true; | ||
| } | ||
| if (decoded.equals(current)) { | ||
| break; | ||
| } | ||
| current = decoded; | ||
| } | ||
| return SUSPICIOUS.matcher(current).find(); | ||
| } |
There was a problem hiding this comment.
Implemented in f7c7825 by adding focused JUnit coverage for TemporaryMitigationValve that exercises representative accepted and rejected request targets, including plain/encoded traversal and malformed % encoding cases.
There was a problem hiding this comment.
asked copilot to add unit tests
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
This is a workaround for a soon-to-be-released advisory
GHSA-95v2-fvxr-qg83to be enabled in tomcat'sserver.xmlwith versions of metacat < 3.5.0. It uses a conservative URL pattern denial strategy to catch and deny potential filesystem path traversals in a request prior to being forwarded to the webapp. It is a temporary fix for affected installations (Metacat 3.4.2 and below) and is intended to be an intermediate step towards upgrading Metacat as soon as possible.Installation
Enable this module for the Metacat host by inserting the following line into
server.xml(in the<Host ...>element):Restart tomcat after the
Valveis in place: