Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2022-23082 PoC — CureKit - Path Traversal in isFileOutsideDir

Source
https://github.com/shoucheng3/whitesource__curekit_CVE-2022-23082_1-1-3
Associated Vulnerability
Title:CureKit - Path Traversal in isFileOutsideDir (CVE-2022-23082)
Description:In CureKit versions v1.0.1 through v1.1.3 are vulnerable to path traversal as the function isFileOutsideDir fails to sanitize the user input which may lead to path traversal.
Readme
CureKit - WhiteSource Cure Encoding Package
==========================

[![Language](https://img.shields.io/badge/language-Java-pink)](https://travis-ci.org/OWASP/owasp-java-encoder) [![Build Status](https://travis-ci.org/OWASP/owasp-java-encoder.svg?branch=main)](https://travis-ci.org/OWASP/owasp-java-encoder) [![License](https://img.shields.io/badge/license-Apache%202.0-blue)](https://www.apache.org/licenses/LICENSE-2.0.html)

CureKit is a security library mostly used by the WhiteSource Cure self-fixing product.

WhiteSource Cure is an innovative solution that automatically generates remediation suggestions for vulnerabilities identified by detection tools in proprietary code.
The remediation suggestions are presented on the vulnerable code itself and can be used as-is in your IDE.

CureKit contains encoders and other utilities, critical to the Self-Healing process suggested by WhiteSource Cure.
The sanitization methods offered in CureKit offer solutions for security vulnerabilities in your code, such as
Cross-Site Scripting, Path Traversal, Os Command Injection and more.
These methods rely on OWASP's encoders and best-practice fix recommendations.

Start using the CureKit Sanitizers
-----------------------------------
You can download a JAR from [Maven Central](https://search.maven.org/artifact/io.whitesource/curekit/1.0.3/jar).

The jar is also available in Maven:

```xml
<dependency>
    <groupId>io.whitesource</groupId>
    <artifactId>curekit</artifactId>
    <version>1.1.0</version>
</dependency>
```

Quick Overview
--------------
The CureKit Java library is intended for quick contextual encoding with very little
overhead, either in performance or usage. To get started, simply add the encoder-1.0.3.jar,
import io.whitesource.cure.Encoder and start using.

Example usage:

```java
    PrintWriter out = ....;
        out.println("<textarea>"+Encode.forHtmlXss(userData)+"</textarea>");
```
File Snapshot

 [4.0K]  /data/pocs/e3ae8c896ae3820bdcbd6ab9a88988e9cf87ce8a
├── [ 146]  Jenkinsfile
├── [ 11K]  LICENSE
├── [7.7K]  pom.xml
├── [1.9K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   └── [4.0K]  io
    │   │       └── [4.0K]  whitesource
    │   │           └── [4.0K]  cure
    │   │               ├── [ 14K]  Encoder.java
    │   │               ├── [1.2K]  FileSecurityUtils.java
    │   │               └── [3.2K]  SecureObjectInputStream.java
    │   └── [4.0K]  resources
    │       └── [ 441]  WssAllowListForLog.json
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  io
                └── [4.0K]  whitesource
                    └── [4.0K]  cure
                        ├── [3.8K]  EncodersTests.java
                        ├── [1.8K]  FileSecurityUtilsTests.java
                        ├── [4.0K]  mocks
                        │   ├── [ 343]  Academy.java
                        │   ├── [ 248]  Campus.java
                        │   └── [ 309]  Student.java
                        └── [2.5K]  SecureDeserializationTests.java

13 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →