Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Report some code that may cause security issues. #9435

Closed
Xiqinger opened this issue Mar 26, 2024 · 1 comment · Fixed by #9436
Closed

Report some code that may cause security issues. #9435

Xiqinger opened this issue Mar 26, 2024 · 1 comment · Fixed by #9436
Labels
bug code task Code cleanup task
Milestone
7.6.2

Comments

@Xiqinger
Copy link
Contributor

Describe the bug

1. Path Travel

version >= 6.*

file

image

Merely checking the compliance of files during creation is insufficient to ensure security. Additional validation is required to verify the compliance of directory creation, as failure to do so may result in system instability or exploitation by other attacks.

Recommend:
Move the path validation statement from line 1968 to before line 1960.

2. Open Redirect

version <=6.*

file

image

"request.getContextPath" return the path starts with a "/" character but does not end with a "/" character.
So, "controlledvocabularytag".startsWith("controlledvocabulary") = true. The URL may escape the base URL, potentially leading to security vulnerabilities.

Recommend:
For example, by replacing the condition "callerUrl.equals(contextPath)" with "callerUrl.equals(contextPath) || callerUrl.startsWith(contextPath + "/")" to ensure proper validation.

3. no hasNext before call next()

version = 7.*

file

image

I couldn't find the code logic that ensures the 'bundles' and 'getItems()' are not empty. If it cannot be guaranteed, it is recommended to perform a 'hasNext' check before calling 'next' to avoid potential NullPointerExceptions or unexpected behavior.

Additionally, I have identified a similar issue in the 'ItemImportServiceImpl'. However, upon manual analysis, it appears that if 'mycollections' is null, the 'addItem' method may not be executed. Due to the complexity of the code logic, it is uncertain whether this behavior is intentional or a potential oversight. Further investigation and clarification are recommended to ensure the expected behavior of the code.

image

4. [just recommend] ByteArrayOutputStream use after close

version = 7.*

file

image

'ByteArrayOutputStream out' variable may be closed within the 'disseminate' method. However, within the loop, 'out' is still being used through the 'write' operation. Because the 'close' method of 'ByteArrayOutputStream' has no effect, it is not a bug. But it's not recommended.
@Xiqinger Xiqinger added bug needs triage New issue needs triage and/or scheduling labels Mar 26, 2024
@tdonohue
Copy link
Member

@Xiqinger : If you or someone on your team can find time to send us Pull Requests to resolve any of these issues, we can give them a review/test. Keep in mind that DSpace 6 and below are no longer under support, so issues in those releases will not be fixed. But, we welcome pull requests to fix DSpace 7 issues.

DSpace is built/maintained by it's community of volunteers. So, if you don't find time to send a PR, then we'll do our best to locate a different volunteer to analyze this ticket to see how best to resolve these issues. Thanks.

@Xiqinger Xiqinger mentioned this issue Mar 26, 2024
Merged
@tdonohue tdonohue added code task Code cleanup task and removed needs triage New issue needs triage and/or scheduling labels May 3, 2024
@tdonohue tdonohue added this to the 7.6.2 milestone May 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug code task Code cleanup task
Projects
DSpace 7.6.x Maintenance
Status: Done
Milestone
7.6.2
Development

Successfully merging a pull request may close this issue.

Issue-9435 Xiqinger/DSpace
2 participants
@tdonohue @Xiqinger