From 210e016b996b4eab858e0b37694f36d2e4ce4226 Mon Sep 17 00:00:00 2001 From: teresa Date: Tue, 3 Jun 2025 17:54:14 +0800 Subject: [PATCH 1/2] Fix CVE-2018-1002200 The `writeToDisk` method in Haveno's persistence layer creates temporary files using `File.createTempFile()`, which generates files with insecure default permissions (typically 644 on Unix systems). These permissions allow the files to be readable by other users on the system, potentially exposing sensitive data. ## Security Impact - **Before:** Temporary files containing sensitive serialized data could be read by other users on the system - **After:** Temporary files are created with secure permissions, accessible only to the file owner Reference https://nvd.nist.gov/vuln/detail/CVE-2023-5529 https://github.com/apache/rocketmq-mqtt/commit/2b9a3e00fe4004df537f3bfe487d208edc318f03 --- .../main/java/haveno/common/persistence/PersistenceManager.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/src/main/java/haveno/common/persistence/PersistenceManager.java b/common/src/main/java/haveno/common/persistence/PersistenceManager.java index b9d38bd82f..0b7a891d6d 100644 --- a/common/src/main/java/haveno/common/persistence/PersistenceManager.java +++ b/common/src/main/java/haveno/common/persistence/PersistenceManager.java @@ -502,7 +502,7 @@ public class PersistenceManager { tempFile = usedTempFilePath != null ? FileUtil.createNewFile(usedTempFilePath) - : File.createTempFile("temp_" + fileName, null, dir); + : Files.createTempFile(dir.toPath(), "temp_" + fileName, null).toFile(); // Don't use a new temp file path each time, as that causes the delete-on-exit hook to leak memory: tempFile.deleteOnExit(); From 05c88a17e994b36b1372f00f7c0b68be3bb05fdd Mon Sep 17 00:00:00 2001 From: teresa Date: Tue, 3 Jun 2025 17:58:43 +0800 Subject: [PATCH 2/2] Fix Zip Slip Vulnerability in unzipToDir Method The `unzipToDir` method in the utility class is vulnerable to a Zip Slip attack. This vulnerability allows an attacker to craft a malicious ZIP file with entries containing path traversal sequences (e.g., "../") that can write files outside the intended destination directory when extracted. ## Security Impact - **Before:** An attacker could craft a malicious ZIP archive that writes files anywhere on the filesystem - **After:** Extraction is limited to the specified destination directory, preventing path traversal attacks Reference https://github.com/Xilinx/RapidWright/commit/acbe05349dca765b184159fa114ea9875f50d0f7 https://cwe.mitre.org/data/definitions/22.html --- common/src/main/java/haveno/common/util/ZipUtils.java | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/common/src/main/java/haveno/common/util/ZipUtils.java b/common/src/main/java/haveno/common/util/ZipUtils.java index f5a32b69d9..5e7791543a 100644 --- a/common/src/main/java/haveno/common/util/ZipUtils.java +++ b/common/src/main/java/haveno/common/util/ZipUtils.java @@ -104,6 +104,10 @@ public class ZipUtils { int count; while ((entry = zipStream.getNextEntry()) != null) { File file = new File(dir, entry.getName()); + if (!file.toPath().normalize().startsWith(dir.toPath())) { + throw new SecurityException("ZIP entry contains path traversal attempt: " + entry.getName()); + } + if (entry.isDirectory()) { file.mkdirs(); } else {