Path Traversal in com.linecorp.armeria:armeria

Impact

An attacker can access an Armeria server’s local file system beyond its restricted directory by sending an HTTP request whose path contains %2F (encoded /), such as /files/..%2Fsecrets.txt, bypassing Armeria’s path validation logic.

Patches

Armeria 1.13.4 or above contains the hardened path validation logic that handles %2F properly.

Workarounds

This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g.

Server
  .builder()
  .serviceUnder(
    "/files",
    FileService
      .of(...)
      .decorate((delegate, ctx, req) -> {
        String path = req.headers().path();
        if (path.contains("%2f") || path.contains("%2F")) {
          return HttpResponse.of(HttpStatus.BAD_REQUEST);
        }
        return delegate.serve(ctx, req);
      })
  )
  .build()

For more information

If you have any questions or comments about this advisory:

• Open an issue in line/armeria
• Chat with us at Slack

Credits

This vulnerability was originally reported by Abdallah Zaher (elcayser-0x0a).