Pebble Templates, Local File Inclusion (LFI), CVE-2024-XXXX (Critical)

How the CVE Works:

The vulnerability arises when untrusted user input is used to create a PebbleTemplate using the PebbleEnginegetLiteralTemplate method. The include macro in Pebble Templates allows for the inclusion of files based on a relative path. When PebbleTemplateImplresolveRelativePath is called, it resolves the path against the PebbleTemplateImpl.name variable. However, when the template is created from a string, PebbleTemplateImpl.name contains the entire template content instead of a filename. This causes the relativePath to be resolved against the system root directory, enabling attackers to include arbitrary local files, such as /etc/passwd, into the template output. This results in a Local File Inclusion (LFI) vulnerability, potentially exposing sensitive data.

DailyCVE Form:

Platform: Pebble Templates

Version: All versions

Vulnerability: Local File Inclusion (LFI)

Severity: Critical

Date: February 24, 2025

What Undercode Say:

Exploitation:

1. Malicious Template Creation:

String templateString = "{% include '/etc/passwd' %}";
PebbleTemplate template = e.getLiteralTemplate(templateString);

2. Exfiltrate Sensitive Data:

try (Writer writer = new StringWriter()) {
template.evaluate(writer, new HashMap<>());
System.out.println(writer);
}

3. Access `/proc` Filesystem:

String templateString = "{% include '/proc/self/environ' %}";

Mitigation:

1. Disable `include` Macro:

new PebbleEngine.Builder()
.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
.disallowedTokenParserTags(List.of("include"))
.build())
.build();

2. Input Validation:

Ensure untrusted user input is sanitized before being used in template creation.

3. File Access Restrictions:

Restrict file system access to the application running Pebble Templates.

Commands:

1. Check Pebble Version:

mvn dependency:tree | grep pebble

2. Monitor File Access:

auditctl -w /etc/passwd -p r -k pebble_lfi

References:

• GitHub Advisory: GHSA-7c6h-hmf9-7wj7
• Issue Discussion: PebbleTemplates/pebble688

Analytics:

• Affected Systems: Applications using Pebble Templates with dynamic template creation.
• Risk Level: Critical due to potential data exfiltration and system compromise.
• Exploit Complexity: Low, as it requires minimal code changes to exploit.
• Patch Status: No official fix available; mitigation involves disabling the include macro.

Code Snippets:

1. Vulnerable Code:

PebbleEngine e = new PebbleEngine.Builder().build();
String templateString = "{% include '/etc/passwd' %}";
PebbleTemplate template = e.getLiteralTemplate(templateString);

2. Secure Code:

PebbleEngine e = new PebbleEngine.Builder()
.registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder()
.disallowedTokenParserTags(List.of("include"))
.build())
.build();

URLs:

• Pebble Templates GitHub
• OpenSSF Vulnerability Disclosure Policy

By following these steps, developers can mitigate the risk of this critical vulnerability in Pebble Templates.

References:

Reported By: https://github.com/advisories/GHSA-p75g-cxfj-7wrx
Extra Source Hub:
Undercode

Image Source:

Undercode AI DI v2