DataLinkDC Dinky Path Traversal Vulnerability in Git Project Management

A path traversal vulnerability has been identified in DataLinkDC Dinky versions through 1.2.5. The issue arises in the Git project management feature, specifically within the 'getProjectDir' function of 'GitRepository.java'. This vulnerability allows authenticated users with Git project creation permissions to manipulate project names, injecting path traversal sequences that result in arbitrary file writes on the server filesystem. The vulnerability can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability allows authenticated users to write files to arbitrary locations on the server, potentially overwriting existing files or modifying application behavior. In some cases, this could lead to remote code execution by placing malicious JAR files in the application classpath.

Reproduction

To reproduce this vulnerability, an authenticated user with Git project creation permissions can send a POST request to the '/api/git/saveOrUpdate' endpoint. The request must include a 'GitProjectDTO' object with a 'name' field containing path traversal sequences, such as '../../malicious'. Once the project is saved, the 'buildGitProject' endpoint can be called to trigger the file write operation, or the 'saveOrUpdateGitProject' method can be used, which automatically initiates the file write process.

Remediation

It is recommended to implement input validation for project names to ensure they do not contain path traversal sequences. Additionally, the application should be configured to run with minimal filesystem privileges to limit the potential impact of such vulnerabilities.