Changes
Started by upstream project gerrit-pysim #3059
Started 11 hr ago
Queued 33 min
Took 16 min
on built-in
osmo-smdpp.py: fix path Traversal Bypass in SM-DP+ (CWE-22)
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828
Root Cause:
os.path.commonprefix() compares strings character-by-character, NOT by path
components. This is a well-known Python antipattern (Python docs explicitly
warn: "this function may return invalid paths because it works a character
at a time").
Attack Context:
The matchingId parameter is received from a network client via the GSMA
ES9+ authenticateClient API endpoint (POST to
/gsma/rsp2/es9plus/authenticateClient). The SM-DP+ server is a Twisted web
application listening on port 443. An unauthenticated eUICC client sends
the matchingId in the ctxParamsForCommonAuthentication ASN.1 structure.
Fix:
Replace os.path.commonprefix() with proper path component checking:
Change-Id: I7a42b40aa2bbcd5f0ec99f172503354c6eaa9828