GHSL-2024-293: Arbitrary File Read on get_log_file REST API in Apache Doris

Coordinated Disclosure Timeline

2024-10-07: Issue reported to Apache security team.
2024-10-08: Project maintainers replied, acknowledging the vulnerability and are working towards a fix.
2025-02-04: Fixed as CVE-2024-48019
2026-05-22: Late publication on our website

Summary

The get_log_file REST API allows user with Admin privilege to read arbitrary files on the server

Project

Apache Doris

Tested Version

main branch head

Details

Path traversal in the `getLogFile` REST API (`GHSL-2024-293`)

Note: This vulnerability requires a non default feature and Admin user privilege to achieve.

The get_log_file REST API is implemented by the GetLogFileAction.

public class GetLogFileAction extends RestBaseController {
    private final Set<String> logFileTypes = Sets.newHashSet("fe.audit.log");

    @RequestMapping(path = "https://securitylab.github.com/api/get_log_file", method = {RequestMethod.GET, RequestMethod.HEAD})
    public Object execute(HttpServletRequest request, HttpServletResponse response) {
        ...
        String logFile = request.getParameter("file");    //<----- 1.
        ...
        if (method.equals(RequestMethod.HEAD.name())) {
          ...
        } else if (method.equals(RequestMethod.GET.name())) {
            File log = getLogFile(logType, logFile);         //<------- 2.
            if (!log.exists() || !log.isFile()) {
                return ResponseEntityBuilder.okWithCommonError("Log file not exist: " + log.getName());
            }
            if (log != null) {
                try {
                    getFile(request, response, log, log.getName());  //<---- 3.

In the execute method that is used to handle a REST request, the query parameter file is used as a file name (1. in the above), which is then used for constructing a path in 2. The path is then used in 3. to retrieve the content of the log file and return it in the response. However, the file path is not checked, which allows any file to be returned in the response.

Note that this API needs to be enabled in the fe config file by adding a line:

enable_get_log_file_api = true

When this API is enabled, an admin user can use this api to retrieve files that are not in the log directory, e.g.:

curl -u admin: -G -v http://localhost:8030/api/get_log_file --data-urlencode "type=fe.audit.log" --data-urlencode "file=../LICENSE-dist.txt"

will print out the content of the LICENSE-dist.txt in the fe directory. (Assuming directory structure same as a newly built doris instance)

Impact

This issue may lead to Information Disclosure.

Credit

This issue was discovered and reported by Bughalla of the GitHub Security Lab.

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-293 in any communication regarding this issue.