An attacker can access an Armeria server’s local file system beyond its restricted directory by sending an HTTP request whose path contains %2F
(encoded /
), such as /files/..%2Fsecrets.txt
, bypassing Armeria’s path validation logic.
Armeria 1.13.4 or above contains the hardened path validation logic that handles %2F
properly.
This vulnerability can be worked around by inserting a decorator that performs an additional validation on the request path, e.g.
Server
.builder()
.serviceUnder(
"/files",
FileService
.of(...)
.decorate((delegate, ctx, req) -> {
String path = req.headers().path();
if (path.contains("%2f") || path.contains("%2F")) {
return HttpResponse.of(HttpStatus.BAD_REQUEST);
}
return delegate.serve(ctx, req);
})
)
.build()
If you have any questions or comments about this advisory:
This vulnerability was originally reported by Abdallah Zaher (elcayser-0x0a).