Summary
I was trying to add a BLOCK_LIST
feature when I noticed we don't sanitize the ImageId
in the code, which leads to path traversal vulnerability. Now, this is different from our traditional path traversal issue, because as of NOW I can store the image in any place arbitrarily, and given enough time I might be able to come up with a working exploit BUT for the time being I am reporting this.
Details
We are not sanitizing the ImageID
as in not removing special chars from the params (extract_query_params.ts#l75)
const imageId = dateString + "." + slugify(validData.url) +configToString(params);
This when fed to other parts of the code such as (filesystem.ts#L34)
return path.join(this.storagePath, imageId) + ".png";
Would result in path traversal issue.
PoC
# Configuration for filesystem storage provider (optional)
STORAGE_PROVIDER=filesystem
IMAGE_STORAGE_PATH=poc
Set this in your .env
file and use this as your payload.
http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack
This will create a .png
file in the /tmp
section of the system.
Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6
This is valid for pretty much all the arguments (except for numeric values)
A simple fix would be to use the slugify
for the params as well like so (#L75)
- const imageId = dateString + "." + slugify(validData.url) + configToString(params);
+ const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));
Impact
This would be path traversal vulnerability which allows arbitrary write as of now.
Summary
I was trying to add a
BLOCK_LIST
feature when I noticed we don't sanitize theImageId
in the code, which leads to path traversal vulnerability. Now, this is different from our traditional path traversal issue, because as of NOW I can store the image in any place arbitrarily, and given enough time I might be able to come up with a working exploit BUT for the time being I am reporting this.Details
We are not sanitizing the
ImageID
as in not removing special chars from the params (extract_query_params.ts#l75)This when fed to other parts of the code such as (filesystem.ts#L34)
Would result in path traversal issue.
PoC
Set this in your
.env
file and use this as your payload.This will create a
.png
file in the/tmp
section of the system.Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6
This is valid for pretty much all the arguments (except for numeric values)
A simple fix would be to use the
slugify
for the params as well like so (#L75)Impact
This would be path traversal vulnerability which allows arbitrary write as of now.