VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 24, 2024· Updated Aug 2, 2024

Path traversal in `CodeChecker server` in the endpoint of `CodeChecker store`

CVE-2023-49793

Description

CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Zip files uploaded to the server endpoint of CodeChecker store are not properly sanitized. An attacker, using a path traversal attack, can load and display files on the machine of CodeChecker server. The vulnerable endpoint is /Default/v6.53/CodeCheckerService@massStoreRun. The path traversal vulnerability allows reading data on the machine of the CodeChecker server, with the same permission level as the CodeChecker server. The attack requires a user account on the CodeChecker server, with permission to store to a server, and view the stored report. This vulnerability has been patched in version 6.23.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
codecheckerPyPI
< 6.23.06.23.0

Affected products

1

Patches

1
46bada41e32f

Merge pull request from GHSA-h26w-r4m5-8rrf

https://github.com/Ericsson/codecheckervodorokDec 8, 2023via ghsa
commit
2 files changed · +17 10
  • codechecker_common/util.py+7 0 modified
    @@ -13,6 +13,7 @@
 import itertools
 import json
 from typing import TextIO
+import os
 import portalocker
 
 from codechecker_common.logger import get_logger
@@ -98,3 +99,9 @@ def get_linef(fp: TextIO, line_no: int) -> str:
         if line_no == 0:
             return line
     return ''
+
+def path_for_fake_root(full_path: str, root_path: str = '/') -> str:
+    """Normalize and sanitize full_path, then make it relative to root_path."""
+    relative_path = os.path.relpath(full_path, '/')
+    fake_root_path = os.path.join(root_path, relative_path)
+    return os.path.realpath(fake_root_path)
  • web/server/codechecker_server/api/mass_store_run.py+10 10 modified
    @@ -28,7 +28,7 @@
 from codechecker_common.logger import get_logger
 from codechecker_common.review_status_handler import ReviewStatusHandler, \
     SourceReviewStatus
-from codechecker_common.util import load_json
+from codechecker_common.util import load_json, path_for_fake_root
 
 from codechecker_report_converter.util import trim_path_prefixes
 from codechecker_report_converter.report import report_file, Report
@@ -391,13 +391,12 @@ def __store_source_files(
         file_path_to_id = {}
 
         for file_name, file_hash in filename_to_hash.items():
-            source_file_name = os.path.join(source_root, file_name.strip("/"))
-            source_file_name = os.path.realpath(source_file_name)
-            LOG.debug("Storing source file: %s", source_file_name)
+            source_file_path = path_for_fake_root(file_name, source_root)
+            LOG.debug("Storing source file: %s", source_file_path)
             trimmed_file_path = trim_path_prefixes(
                 file_name, self.__trim_path_prefixes)
 
-            if not os.path.isfile(source_file_name):
+            if not os.path.isfile(source_file_path):
                 # The file was not in the ZIP file, because we already
                 # have the content. Let's check if we already have a file
                 # record in the database or we need to add one.
@@ -407,16 +406,17 @@ def __store_source_files(
                     fid = add_file_record(
                         session, trimmed_file_path, file_hash)
 
-                if not fid:
+                if fid:
+                    file_path_to_id[trimmed_file_path] = fid
+                    LOG.debug("%d fileid found", fid)
+                else:
                     LOG.error("File ID for %s is not found in the DB with "
                               "content hash %s. Missing from ZIP?",
-                              source_file_name, file_hash)
-                file_path_to_id[trimmed_file_path] = fid
-                LOG.debug("%d fileid found", fid)
+                              source_file_path, file_hash)
                 continue
 
             with DBSession(self.__Session) as session:
-                self.__add_file_content(session, source_file_name, file_hash)
+                self.__add_file_content(session, source_file_path, file_hash)
 
                 file_path_to_id[trimmed_file_path] = add_file_record(
                     session, trimmed_file_path, file_hash)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.