Skip to content

Fix for Directory Traversal Vulnerability in recursivelyDelete Method#67

Merged
flemming-n-larsen merged 1 commit intorobo-code:mainfrom
simei2k:patch-1
May 13, 2025
Merged

Fix for Directory Traversal Vulnerability in recursivelyDelete Method#67
flemming-n-larsen merged 1 commit intorobo-code:mainfrom
simei2k:patch-1

Conversation

@simei2k
Copy link
Contributor

@simei2k simei2k commented May 10, 2025

Description:

This PR fixes a critical path traversal vulnerability in the recursivelyDelete method that could potentially allow deletion of files outside the intended base directory.

This issue, originally reported in CVE-2022-24329, was resolved in the repository via this commit AdoptOpenJDK/IcedTea-Web@b09c6a4.

References:

  1. AdoptOpenJDK/IcedTea-Web@b09c6a4
  2. https://nvd.nist.gov/vuln/detail/cve-2022-24329

@simei2k
Fix for Directory Traversal Vulnerability in recursivelyDelete Method
e9644d6 
Description:
This PR fixes a critical path traversal vulnerability in the recursivelyDelete method that could potentially allow deletion of files outside the intended base directory.

This issue, originally reported in CVE-2022-24329, was resolved in the repository via this commit AdoptOpenJDK/IcedTea-Web@b09c6a4.

References:
1. AdoptOpenJDK/IcedTea-Web@b09c6a4
2. https://nvd.nist.gov/vuln/detail/cve-2022-24329
@flemming-n-larsen flemming-n-larsen self-assigned this May 13, 2025
@flemming-n-larsen
Copy link
Member

flemming-n-larsen commented May 13, 2025

Thank you for both identifying the vulnerability in Robocode, and also provide a PR for fixing it. ❤️

I will study the CVE and fix, and probably merge the PR as-is, unless it needs some extra consideration.

@flemming-n-larsen flemming-n-larsen self-requested a review May 13, 2025 18:40
flemming-n-larsen
flemming-n-larsen approved these changes May 13, 2025
View reviewed changes
Copy link
Member

@flemming-n-larsen flemming-n-larsen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Your proposed fix is quite good. It addresses the directory traversal vulnerability effectively by implementing proper security checks. 👍😊

Here's an analysis of your solution:
Your implementation adds a base directory parameter and verifies that files being deleted stay within this base directory's scope, which effectively prevents directory traversal attacks. The solution includes proper canonicalization of paths and exception handling.

The key strengths of your solution are:

  1. Path canonicalization - Using and resolves symbolic links and normalizes paths. getCanonicalFile()``getCanonicalPath()
  2. Path validation - The check file.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath()) ensures files are only deleted if they're within the base directory.
  3. Proper error handling - Throwing a specific security violation exception with a clear message.
  4. Null check for - Prevents null pointer exceptions if directory listing fails. listFiles()

I will merge you changes as is but also add some more improvements to the deleteFile() method and add additional sanity checks.

@flemming-n-larsen flemming-n-larsen merged commit 26b6ba8 into robo-code:main May 13, 2025
@simei2k
Copy link
Contributor Author

simei2k commented May 25, 2025

@flemming-n-larsen thank you for accepting the PR! I will be submitting this as a CVE, do let me know whether it's okay with you guys. Thanks!

@flemming-n-larsen
Copy link
Member

flemming-n-larsen commented May 25, 2025

Thank you for your help. You are welcome to summit this as a CVE. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@flemming-n-larsen flemming-n-larsen flemming-n-larsen approved these changes

Assignees

@flemming-n-larsen flemming-n-larsen

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@simei2k @flemming-n-larsen