Local file read through %load_json in plantuml/plantuml
Reported on
Jun 12th 2023
Description
When ALLOW_PLANTUML_INCLUDE
is set to false
(the default settings) in the online server, !include
processing is turned off, preventing local files from being read. However, other features like %load_json
can still access local files.
Since many people will run plantuml-server
in its default configuration, it might be better to block all local file reading by default or include controlling %load_json
access as part of the ALLOW_PLANTUML_INCLUDE
switch.
Proof of Concept
docker run -d -p 8080:8080 plantuml/plantuml-server:jetty
Inside the container, write a JSON file /var/lib/jetty/test.json
@startuml
Bob -> Alice : %load_json("/var/lib/jetty/test.json")
@enduml
We can also confirm whether or not a file exists on the system. If the file exists, the result will either be valid JSON or a JSON parse error (if the file is not a JSON file). Otherwise, the result is simply {}
. This can allow attackers to gain more information about the system.
Impact
Read local JSON files, and confirm existence of files.