Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-23082 PoC — WhiteSource CureKit 路径遍历漏洞

Source
https://github.com/shoucheng3/whitesource__curekit_CVE-2022-23082_1-1-3
Associated Vulnerability
Title:WhiteSource CureKit 路径遍历漏洞 (CVE-2022-23082)
Description:WhiteSource CureKit是日本WhiteSource公司的一个用于 WhiteSource Cure 自修复产品的安全库。 WhiteSource CureKit 1.0.1 版本到 1.0.3 版本存在安全漏洞,该漏洞源于 isFileOutsideDir 无法正确清理可能导致路径遍历的用户输入。
Readme
CureKit - WhiteSource Cure Encoding Package
==========================

[![Language](https://img.shields.io/badge/language-Java-pink)](https://travis-ci.org/OWASP/owasp-java-encoder) [![Build Status](https://travis-ci.org/OWASP/owasp-java-encoder.svg?branch=main)](https://travis-ci.org/OWASP/owasp-java-encoder) [![License](https://img.shields.io/badge/license-Apache%202.0-blue)](https://www.apache.org/licenses/LICENSE-2.0.html)

CureKit is a security library mostly used by the WhiteSource Cure self-fixing product.

WhiteSource Cure is an innovative solution that automatically generates remediation suggestions for vulnerabilities identified by detection tools in proprietary code.
The remediation suggestions are presented on the vulnerable code itself and can be used as-is in your IDE.

CureKit contains encoders and other utilities, critical to the Self-Healing process suggested by WhiteSource Cure.
The sanitization methods offered in CureKit offer solutions for security vulnerabilities in your code, such as
Cross-Site Scripting, Path Traversal, Os Command Injection and more.
These methods rely on OWASP's encoders and best-practice fix recommendations.

Start using the CureKit Sanitizers
-----------------------------------
You can download a JAR from [Maven Central](https://search.maven.org/artifact/io.whitesource/curekit/1.0.3/jar).

The jar is also available in Maven:

```xml
<dependency>
    <groupId>io.whitesource</groupId>
    <artifactId>curekit</artifactId>
    <version>1.1.0</version>
</dependency>
```

Quick Overview
--------------
The CureKit Java library is intended for quick contextual encoding with very little
overhead, either in performance or usage. To get started, simply add the encoder-1.0.3.jar,
import io.whitesource.cure.Encoder and start using.

Example usage:

```java
    PrintWriter out = ....;
        out.println("<textarea>"+Encode.forHtmlXss(userData)+"</textarea>");
```
File Snapshot

 [4.0K]  /data/pocs/e3ae8c896ae3820bdcbd6ab9a88988e9cf87ce8a
├── [ 146]  Jenkinsfile
├── [ 11K]  LICENSE
├── [7.7K]  pom.xml
├── [1.9K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  io
    │   │       └── [4.0K]  whitesource
    │   │           └── [4.0K]  cure
    │   │               ├── [ 14K]  Encoder.java
    │   │               ├── [1.2K]  FileSecurityUtils.java
    │   │               └── [3.2K]  SecureObjectInputStream.java
    │   └── [4.0K]  resources
    │       └── [ 441]  WssAllowListForLog.json
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  io
                └── [4.0K]  whitesource
                    └── [4.0K]  cure
                        ├── [3.8K]  EncodersTests.java
                        ├── [1.8K]  FileSecurityUtilsTests.java
                        ├── [4.0K]  mocks
                        │   ├── [ 343]  Academy.java
                        │   ├── [ 248]  Campus.java
                        │   └── [ 309]  Student.java
                        └── [2.5K]  SecureDeserializationTests.java

13 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.