Security issue parent path in error output

0 votes
asked Sep 25 in Bug by Pander (1,080 points)

When using PlantUML with only local paths is resulting in an error, PlantUML should not expose the full path in the error messages. This is a security issue as it exposes information on the system on a higher level than the working directory is located.

Perhaps show these absolute paths only when a special option for it is provided, but in normal use, please only show local and relative paths in error messages. Fixing this will make usage of PlantUML less risky when error output is shared with others.

Input 1 is:

@startuml
start
:asdf
stop
@enduml

Output 1 on command line is:

Error line 2 in file: /tmp/home/username/test-directory/test.pu
Some diagram description contains errors

Desired is only "Error line 2 in file: test.pu"

Output 1 in PNG file is:

Desired is only "[From test.pu line 3) ]".

Input 2 is:

@startuml
!include ../skin.pu
start
:asdf;
stop
@enduml

Output 2 on command line is:

Preprocessor Error: Cannot include /tmp/home/username/test-directory/../skin.pu
Error line 1 in file: /tmp/home/username/test-directory/test.pu
Some diagram description contains errors

Desired is only "Preprocessor Error: Cannot include ../skin.pu" and "Error line 1 in file: test.pu".

Output 2 in PNG file is:

Desired is only "From test.pu (line 2) ]" and "Cannot include .../skin.pu"

1 Answer

0 votes
answered Sep 25 by plantuml (187,300 points)
Ok, let's give a try.

This is fixed in last beta http://beta.plantuml.net/plantuml.jar

Tell us if you find other issues related to security.

Regards,
commented Sep 26 by Pander (1,080 points)
edited Sep 26 by Pander
Thanks, this solves the issue.

PS Tomorrow is the beta freeze for Ubuntu. Can you try to get the latest stable in for the cosmic release https://launchpad.net/ubuntu/+source/plantuml They are at 9 and 11 is latest, I see. You can reach them at ubuntu-devel-discuss aatt lists.ubuntu.com

See also https://bugs.launchpad.net/ubuntu/+source/plantuml/+bug/1754051 but I doubt if that is picked up before the freeze ends without emailing the maintainers.
...