upstream/keycloak
1
0
Fork 0
mirror of https://github.com/keycloak/keycloak.git synced 2026-02-03 20:39:33 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Enhancement: normalize FilesPlaintextVaultProvider secret paths to prevent false positives in CSAs (#44345)

Browse source 
Signed-off-by: Peter Zaoral <pzaoral@redhat.com>
This commit is contained in:
Peter Zaoral 2026-02-03 22:21:04 +01:00 committed by GitHub
parent 1f0fceb867
commit 78299ae82d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
services/src/main/java/org/keycloak/vault/FilesPlainTextVaultProvider.java
View file

@ -50,7 +50,7 @@ public class FilesPlainTextVaultProvider extends AbstractVaultProvider {
@Override
protected VaultRawSecret obtainSecretInternal(String vaultSecretId) {
Path secretPath = vaultPath.resolve(vaultSecretId);
Path secretPath = vaultPath.resolve(vaultSecretId).normalize();
if (!Files.exists(secretPath)) {
logger.warnf("Cannot find secret %s in %s", vaultSecretId, secretPath);
return DefaultVaultRawSecret.forBuffer(Optional.empty());
@ -69,13 +69,16 @@ public class FilesPlainTextVaultProvider extends AbstractVaultProvider {
if (!super.validate(resolver, key, resolvedKey)) {
return false;
}
Path secretPath = vaultPath.resolve(resolvedKey);
Path secretPath = vaultPath.resolve(resolvedKey).normalize();
Path expectedPath = vaultPath;
if (resolver == AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver()) {
expectedPath = expectedPath.resolve(realm);
}
if (!secretPath.getParent().equals(expectedPath)) {
expectedPath = expectedPath.normalize();
Path parent = secretPath.getParent();
if (parent == null || !parent.equals(expectedPath)) {
logger.warnf("Path traversal attempt detected in secret %s.", key);
return false;
}