Versions Compared

Old Version 64

changes.mady.by.user Thiago Figueiredo

Saved on

compared with

New Version Current

changes.mady.by.user Thiago Figueiredo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

Wiki Markup
{float:right|background=#eee|padding=0 1em}
    *JumpStart Demo:*
    [Protecting Pages|httphttps://tapestry-jumpstart.doublenegative.com.auorg/jumpstart/examples/infrastructure/protectingpages]
{float}

For simple access control needs, you can contribute a ComponentRequestFilter with your custom logic that decides which pages should be accessed by which users. The Tapestry Hotel Booking app demonstrates this approach with an @AnonymousAccess annotation along with a ComponentRequestFilter named AuthenticationFilter.java. The filter enforces security by intercepting all requests to pages that don't have that annotation, and it redirects those requests to the login page. JumpStart has a similar demo.


For more advanced needs see the Security Framework Integration section below.

...

Vulnerability Disclosures

CVE-2019-0195: File reading Leads to Java Deserialization Vulnerability.

Disclosure date: September 13th, 2019

Versions affected: all Apache Tapestry versions between from 5.4.0 , (including its betas, and ) through 5.4.3

Description: Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbol could be used to craft a Java deserialization attack, thus running malicious injected Java code. The vector would be the t:formdata parameter from the Form component.

...

Versions affected: all Apache Tapestry versions between from 5.4.0 , (including its betas, and ) through 5.4.4.

Description: Tapestry processes assets `/assets/ctx` using classes chain `StaticFilesFilter -> AssetDispatcher -> ContextResource`, which doesn't filter the character `\`, so attacker can perform a path traversal attack to read any files on Windows platform.

...

Versions affected: all Apache Tapestry versions between from 5.4.0 , including
its betas, and (including its betas) through 5.4.3

Description: The code which checks HMAC in form submissions used
String.equals() for comparisons, which results in a timing side channel forvulnerability in
the comparison of the HMAC signatures. This could lead to remote code
execution if an attacker is able to determine the correct signature for
their payload. The comparison should be have been done with a constant time algorithm
instead.

Mitigation: Upgrade to Tapestry 5.4.5, which is a drop-in replacement for any 5.4.x
version.

...

David Tomaschik of the Google Security Team

CVE-2019-10071: Bypass of the fix for CVE-2019-0195

Disclosure date: March 14th, 2021

Versions affected: all Apache Tapestry versions from 5.4.0 (including its betas) through 5.6.1, plus 5.7.0.

Description: A critical unauthenticated remote code execution vulnerability was found all recent versions of Apache Tapestry. The affected versions include 5.4.5, 5.5.0, 5.6.2 and 5.7.0.

The vulnerability I have found is a bypass of the fix for CVE-2019-0195. 

Recap:

Before the fix of CVE-2019-0195 it was possible to download arbitrary class files from the classpath by providing a crafted asset file URL. An attacker was able to download the file `AppModule.class` by requesting the URL `http://localhost:8080/assets/something/services/AppModule.class` which contains a HMAC secret key. The fix for that bug was a blacklist filter that checks if the URL ends with `.class`, `.properties` or `.xml`.

Bypass:

Unfortunately, the blacklist solution can simply be bypassed by appending a `/` at the end of the URL: `http://localhost:8080/assets/something/services/AppModule.class/`

The slash is stripped after the blacklist check and the file `AppModule.class` is loaded into the response. This class usually contains the HMAC secret key which is used to sign

serialized Java objects. With the knowledge of that key an attacker can sign a Java gadget chain that leads to RCE (e.g. CommonsBeanUtils1 from ysoserial). 

Solution for this vulnerability:

* For Apache Tapestry 5.4.0 to 5.6.1, upgrade to 5.6.2 or later.

* For Apache Tapestry 5.7.0, upgrade to 5.7.1 or later.

This issue is being tracked as TAP5-2663

Credit:

Apache Tapestry would like to thank Johannes Moritz for finding and notifying this vulnerability

CVE-2022-31781: Regular Expression Denial of Service (ReDoS) in ContentType.java. (GHSL-2022-022)

Disclosure date: July 12th, 2022

Versions affected:

This issue affects Apache Tapestry 5.8.1 and earlier.

Severity: low

Description:

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.

Specifically, this is about the regular expression used on the parameter of the org.apache.tapestry5.http.ContentType class.

Apache Tapestry 5.8.2 has a fix for this vulnerability.

Notice the vulnerability cannot be triggered by web requests in Tapestry code alone. It would only happen if there's some non-Tapestry codepath passing some outside input to the ContentType class constructor.

Acknowledgements:
CodeQL team members [@atorralba (Tony Torralba)](https://github.com/atorralba) and [@joefarebrother (Joseph Farebrother)](https://github.com/joefarebrother).


 Scrollbar