Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue about Path Traversal #54

Open
caoliqingstudio opened this issue Mar 14, 2024 · 0 comments
Open

Issue about Path Traversal #54

caoliqingstudio opened this issue Mar 14, 2024 · 0 comments

Comments

@caoliqingstudio
Copy link

caoliqingstudio commented Mar 14, 2024

1. PathTravel

I have identified a path traversal vulnerability in the SurveyKing application, which affects two specific urls: "public/upload" and "file/create". This vulnerability allows an attacker to access files outside of the intended directory and potentially retrieve sensitive information from the server.
The vulnerability arises from the lack of proper input filtering on the content of uploadFile.getOriginalFilename().
Recommendation: Add a validation in the FileServiceImpl class to check if the file name returned by uploadFile.getOriginalFilename() contains "..". If it does, reject the file upload.
image

For the version v0.2.0, the position is in class "LocalStorageService". In the 'uploadFile' method, the content obtained from 'getOriginalFilename' should be filtered to check if it contains ".." before constructing the file path.

image

There are two other issues here.

2. XSS

The "/file/create" interface is used for uploading background images, but there is no filtering for the uploaded file types. Therefore, I suggest adding a check for the file type in the FileApi.upload method. The uploaded files will be displayed in an tag. Not checking the file type can potentially lead to XSS injection vulnerabilities.

Version v0.2.0 has the same problem. Accessing the upload endpoint via "${api.prefix}/files" provides an interface for uploading images, but there is no restriction to upload only image-format files. Additionally, when constructing HTML using "listImages" and similar methods to fetch images, there is no filtering applied.

image

3. DDoS

In the "FileServiceImpl.upload" method, if it is determined that the file is an image file, thumbnailator is used to generate a thumbnail. There is no restriction on the size of the uploaded file here. If the image is complex to load (such as progressive JPEG) or too large, it could consume a significant amount of server resources, leading to a potential DDoS attack.
image

For the version v0.2.0, the position is in class "LocalStorageService".

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant