Skip to content

๐Ÿ›ก๏ธ Sentinel: [HIGH] Fix Null Byte Injection in File Validation#120

Open
seonghobae wants to merge 3 commits into
mainfrom
sentinel-fix-null-byte-injection-10962904880897055436
Open

๐Ÿ›ก๏ธ Sentinel: [HIGH] Fix Null Byte Injection in File Validation#120
seonghobae wants to merge 3 commits into
mainfrom
sentinel-fix-null-byte-injection-10962904880897055436

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

๐Ÿ›ก๏ธ Sentinel: [HIGH] Fix Null Byte Injection in File Validation

๐Ÿšจ Severity: HIGH
๐Ÿ’ก Vulnerability: DefaultDocumentValidationService์—์„œ ์—…๋กœ๋“œ๋œ ํŒŒ์ผ์˜ ์›๋ณธ ํŒŒ์ผ๋ช…์— Null Byte(\u0000)๊ฐ€ ํฌํ•จ๋˜์–ด ์žˆ๋Š”์ง€ ๊ฒ€์ฆํ•˜์ง€ ์•Š์•˜์Šต๋‹ˆ๋‹ค.
๐ŸŽฏ Impact: ๊ณต๊ฒฉ์ž๊ฐ€ ํŒŒ์ผ๋ช…์— Null Byte๋ฅผ ์ฃผ์ž…ํ•˜์—ฌ ํ™•์žฅ์ž ๊ฒ€์ฆ์„ ์šฐํšŒํ•˜๊ณ (์˜ˆ: malicious.hwp\u0000.pdf), ํ•˜์œ„ ์‹œ์Šคํ…œ์—์„œ ํŒŒ์ผ๋ช…์ด ์ ˆ์‚ญ๋˜๋„๋ก ๋งŒ๋“ค์–ด ์•…์„ฑ ํŒŒ์ผ์„ ์—…๋กœ๋“œํ•  ์ˆ˜ ์žˆ๋Š” ์œ„ํ—˜์ด ์žˆ์Šต๋‹ˆ๋‹ค.
๐Ÿ”ง Fix: ์›๋ณธ ํŒŒ์ผ๋ช…์„ ํš๋“ํ•œ ์งํ›„ fileName.indexOf('\u0000') >= 0 ๊ฒ€์‚ฌ๋ฅผ ์ˆ˜ํ–‰ํ•˜์—ฌ Null Byte๊ฐ€ ๋ฐœ๊ฒฌ๋˜๋ฉด ์ฆ‰์‹œ IllegalArgumentException์„ ๋˜์ ธ(fail securely) ํ•ด๋‹น ์ž…๋ ฅ์„ ๋ช…์‹œ์ ์œผ๋กœ ๊ฑฐ๋ถ€ํ•˜๋„๋ก ์ˆ˜์ •ํ–ˆ์Šต๋‹ˆ๋‹ค.
โœ… Verification:

  • ๋‹จ์œ„ ํ…Œ์ŠคํŠธ rejectsFilenameWithNullByte ์ž‘์„ฑ ๋ฐ ํ†ต๊ณผ ํ™•์ธ
  • mvn test ๋ช…๋ น์–ด๋กœ ๊ธฐ์กด ํ…Œ์ŠคํŠธ ํฌํ•จ ๋ชจ๋“  ํ…Œ์ŠคํŠธ 100% ํ†ต๊ณผ ํ™•์ธ (Failures: 0)
  • mvn -DskipTests checkstyle:check ๋ช…๋ น์–ด๋กœ ์ถ”๊ฐ€๋œ ์ฝ”๋“œ๊ฐ€ strict Checkstyle ๋ฃฐ์„ ์ค€์ˆ˜ํ•จ์„ ํ™•์ธ
  • .jules/sentinel.md์— ๋ณด์•ˆ ๊ตํ›ˆ(Learning) ๊ธฐ๋ก ์™„๋ฃŒ

PR created automatically by Jules for task 10962904880897055436 started by @seonghobae

`DefaultDocumentValidationService`์—์„œ ํŒŒ์ผ๋ช… ๊ฒ€์ฆ ์‹œ Null Byte(`\u0000`)๋ฅผ
์ด์šฉํ•œ ํ™•์žฅ์ž ์šฐํšŒ ๋ฐ ์ ˆ์‚ญ ๊ณต๊ฒฉ์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•ด ํŒŒ์ผ๋ช…์— Null Byte๊ฐ€
ํฌํ•จ๋œ ๊ฒฝ์šฐ ์ฆ‰์‹œ `IllegalArgumentException`์„ ๋ฐœ์ƒ์‹œ์ผœ ์ž…๋ ฅ์„ ๊ฑฐ๋ถ€ํ•˜๋„๋ก
๋กœ์ง์„ ์ถ”๊ฐ€ํ–ˆ์Šต๋‹ˆ๋‹ค.

- ๊ด€๋ จ ๋‹จ์œ„ ํ…Œ์ŠคํŠธ `rejectsFilenameWithNullByte` ์ถ”๊ฐ€ (100% ํ…Œ์ŠคํŠธ ์ปค๋ฒ„๋ฆฌ์ง€ ์œ ์ง€)
- `.jules/sentinel.md`์— ๋ณด์•ˆ ๊ด€๋ จ ํ•™์Šต ๋‚ด์šฉ ๊ธฐ๋ก
@google-labs-jules

Copy link
Copy Markdown

๐Ÿ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a ๐Ÿ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

#120 current-head failure follow-up

I re-read the failing current-head logs/SARIF and pushed c0f485c to address the real dependency findings instead of suppressing them.

Observed failures:

  • trivy-fs SARIF on the PR merge commit reported com.fasterxml.jackson.core:jackson-databind at 2.19.0 with CVE-2026-54512 and CVE-2026-54513 (HIGH), plus CVE-2026-54514 and CVE-2026-54515 (MEDIUM). Fixed version is 2.21.5 for the full set.
  • osv-scan log did not report exploitable findings in source, but failed dependency extraction after Maven Central returned 429 while resolving the old Spring Boot parent metadata (3.5.0). I bumped the parent to a current patch line so extraction has a current base and logs should now identify dependency state cleanly.
  • Scorecard posture items are governance/repo-setting work; for this PR I added repo-local SECURITY.md and Maven Dependabot as concrete improvements, while the central Java/Kotlin CodeQL PR scan gap is being handled in fix(ci): tighten central workflow gatesย .github#382.

Changes pushed:

  • Spring Boot parent 3.5.0 -> 3.5.14.
  • Explicit jackson-databind version via jackson-bom.version=2.21.5.
  • Removed unused org.apache.tika:tika-parsers-standard-package; source/POM scan for org.apache.tika|tika-parsers|Tika under src pom.xml returned no current usage.
  • Added .github/dependabot.yml for Maven updates and SECURITY.md for private vulnerability reporting.

Verification:

  • mvn -DskipTests -Dincludes=com.fasterxml.jackson.core:jackson-databind dependency:tree resolves jackson-databind:2.21.5.
  • mvn test passed: 336 tests, 0 failures, 0 errors, 0 skipped.
  • git diff --check passed except Windows LF->CRLF working-tree warnings.
  • Codegraph sync/status completed on this branch before commit.

Next loop item: re-check the current-head GitHub checks/SARIF once Actions starts this new SHA, and cancel old-head queued runs where the API permits it so the queue only works on current heads.

- `org.bouncycastle:bcprov-jdk18on`์˜ ๋ฒ„์ „ `1.81`์—์„œ ๋ฐœ๊ฒฌ๋œ OSV ๋ฐ Trivy ์Šค์บ” ์ทจ์•ฝ์ (CVE-2025-14813, CVE-2026-0636)์„ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•ด Bouncycastle ๋ฒ„์ „์„ `1.84`๋กœ ๋ช…์‹œ์ ์œผ๋กœ ์—…๋ฐ์ดํŠธํ–ˆ์Šต๋‹ˆ๋‹ค.
- `<dependencyManagement>` ์„น์…˜์„ ์ถ”๊ฐ€ํ•˜์—ฌ ๊ด€๋ จ Bouncycastle ์•„ํ‹ฐํŒฉํŠธ(`bcprov`, `bcpkix`, `bcutil`, `bcjmail`) ๋ฒ„์ „์ด ์ผ๊ด€๋˜๊ฒŒ 1.84๋กœ ์ ์šฉ๋˜๋„๋ก ๋ณด์žฅํ•ฉ๋‹ˆ๋‹ค.
- `pdfbox.version`์„ 3.0.3์—์„œ 3.0.4๋กœ ์—…๋ฐ์ดํŠธํ•˜์—ฌ ์ถ”๊ฐ€์ ์ธ ์ทจ์•ฝ์ ์„ ์˜ˆ๋ฐฉํ•ฉ๋‹ˆ๋‹ค.
- ์˜์กด์„ฑ ๋ฒ„์ „ ์—…๋ฐ์ดํŠธ์ด๋ฏ€๋กœ ๊ธฐ์กด ์†Œ์Šค ์ฝ”๋“œ ๋ฐ ํ…Œ์ŠคํŠธ์˜ ๋ณ€๊ฒฝ์€ ์—†์Šต๋‹ˆ๋‹ค.
@opencode-agent opencode-agent Bot disabled auto-merge July 11, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant