Skip to content

Adding Valve workaround for GHSA-95v2-fvxr-qg83#12

Open
iannesbitt wants to merge 7 commits into
mainfrom
advisory-patch-2026-07-01
Open

Adding Valve workaround for GHSA-95v2-fvxr-qg83#12
iannesbitt wants to merge 7 commits into
mainfrom
advisory-patch-2026-07-01

Conversation

@iannesbitt

Copy link
Copy Markdown

This is a workaround for a soon-to-be-released advisory GHSA-95v2-fvxr-qg83 to be enabled in tomcat's server.xml with versions of metacat < 3.5.0. It uses a conservative URL pattern denial strategy to catch and deny potential filesystem path traversals in a request prior to being forwarded to the webapp. It is a temporary fix for affected installations (Metacat 3.4.2 and below) and is intended to be an intermediate step towards upgrading Metacat as soon as possible.

Installation

Enable this module for the Metacat host by inserting the following line into server.xml (in the <Host ...> element):

     <Valve className="org.dataone.security.TemporaryMitigationValve" />

Restart tomcat after the Valve is in place:

systemctl restart tomcat9

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a Tomcat Valve implementation intended as a temporary mitigation for GHSA-95v2-fvxr-qg83 by rejecting requests whose URI/query contain path-traversal-style patterns (including across multiple URL-decoding rounds) before forwarding to the webapp.

Changes:

  • Add TemporaryMitigationValve (Tomcat ValveBase) that inspects request targets and denies suspicious patterns with HTTP 400.
  • Implement multi-round URL decoding to catch double-encoded traversal attempts.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/main/java/org/dataone/security/TemporaryMitigationValve.java
Comment thread src/main/java/org/dataone/security/TemporaryMitigationValve.java Outdated
Comment thread src/main/java/org/dataone/security/TemporaryMitigationValve.java

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

Comment thread src/main/java/org/dataone/security/TemporaryMitigationValve.java Outdated
Comment thread src/main/java/org/dataone/security/TemporaryMitigationValve.java
Comment on lines +48 to +50
private static final Pattern SUSPICIOUS = Pattern.compile(
"(?i)(\\.{2}|%2e|%2f|%5c|\\\\|/\\./|/\\.\\./|%252e|%252f|%255c)"
);

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaning towards erring on the stricter side unless others disagree

Comment on lines +69 to +85
private boolean isSuspicious(String input) {
String current = input;
for (int i = 0; i < MAX_DECODE_ROUNDS; i++) {
if (SUSPICIOUS.matcher(current).find()) {
return true;
}
String decoded = decodeOnce(current);
if (decoded == null) {
return true;
}
if (decoded.equals(current)) {
break;
}
current = decoded;
}
return SUSPICIOUS.matcher(current).find();
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implemented in f7c7825 by adding focused JUnit coverage for TemporaryMitigationValve that exercises representative accepted and rejected request targets, including plain/encoded traversal and malformed % encoding cases.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

asked copilot to add unit tests

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants