Impact
AttachmentUploadServlet also saves user controlled data (request.getInputStream()) to a user specified location (request.getHeader("File-Name")):
String fileName = URLDecoder.decode(request.getHeader("File-Name"), StandardCharsets.UTF_8.name());
...
String attachmentName = attachmentSuppport.saveAttachment(fileName, request.getInputStream());This file system operation occurs before any authentication or authorization checks are enforced.
This issue may lead to arbitrary file upload which can be used to upload a WebShell to OneDev server
Patches
This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.
Credits
This issue was discovered by @pwntester
Impact
AttachmentUploadServletalso saves user controlled data (request.getInputStream()) to a user specified location (request.getHeader("File-Name")):This file system operation occurs before any authentication or authorization checks are enforced.
This issue may lead to
arbitrary file uploadwhich can be used to upload a WebShell to OneDev serverPatches
This issue is addressed in 4.0.3 by only allowing uploaded file to be in attachments folder. The webshell issue is not possible as OneDev never executes files in attachments folder.
Credits
This issue was discovered by @pwntester