-
Notifications
You must be signed in to change notification settings - Fork 8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
FileAttachment() is vulnerable to Reflect File Download #3555
Comments
The Go Vulnerability Database has designated this GO-2023-1737 (https://pkg.go.dev/vuln/GO-2023-1737) and CVE-2023-29401. To add a fixed version or otherwise update this report, you can reopen and comment on golang/vulndb#1737. |
Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function References gin-gonic/gin#3555 gin-gonic/gin#3556 https://pkg.go.dev/vuln/GO-2023-1737
Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function References gin-gonic/gin#3555 gin-gonic/gin#3556 https://pkg.go.dev/vuln/GO-2023-1737 Co-authored-by: MHSanaei <[email protected]>
Gin Web Framework does not properly sanitize filename parameter of Context.FileAttachment function References gin-gonic/gin#3555 gin-gonic/gin#3556 https://pkg.go.dev/vuln/GO-2023-1737 Co-authored-by: MHSanaei <[email protected]>
Silence is the new answer, thx @appleboy and all the other maintainers |
any news about that? |
Thank you so much @thinkerou . If possible, I would appreciate it if you could enable the GitHub feature There are people (@igibek) in this Issue who, |
@motoyasu-saburi sorry, I have not the permission. |
v1.9.1 have released, please see https://github.com/gin-gonic/gin/releases/tag/v1.9.1, thanks! |
nancy is still complaining about the CVE for v1.9.1 pkg:golang/github.com/gin-gonic/[email protected] |
It might not know that 1.9.1 has the patch. Scanners don't always look at the code and wait for someone to update what the fix version is. |
Current scan (10 mins ago) as part of a GitHub workflow with Nancy no longer complains, so it appears that the update is now also known to them... |
I have contacted the maintainer 4-5 times via email, Snyk, etc.,
but have not received a reply, so I am raising an Issue.
Description
gin
>context.go
>func FileAttachment
contains a vulnerability that allows the extension/file name to be tampered with when downloading files.
This is known as a Reflect File Download attack.
https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf
This vulnerability allows a Threat Actor to replace what was
.txt
when uploading with.sh
, etc. when (victim) downloading.This is due to improper handling of the filename in the Content-Disposition response header.
https://github.com/gin-gonic/gin/blob/a889c58de78711cb9b53de6cfcc9272c8518c729/context.go#LL1059-L1059C86
My calculations CVSS (v3):
However, I think the impact of the actual situation is much lower than that of CVSS.
How to reproduce
Env
OS: macOSVentura(13.1)
Go ver: 1.18.2 darwin/arm64
gin ver: v1.9.0 (The latest ver has not been corrected either, so the problem probably remains.)
Browser: Chrome 111.0.5563.110 (arm64)
(Linux or MacOS is required.
This is because Windows does not allow file names containing " (double-quote) .)
Edit Directory
Access:
http://localhost:8080/download
Return Response Header:
Content-Disposition:
Download File:
malicious.sh
Cause & Fix
The reason is that the filename in Content-Disposition is not escape / encoded.
If not escape / encoded (
"
), the filename field can be terminated arbitrarily, as shown in the PoC.Therefore, the following escapes are required.
"
-->\"
or%22
\r
-->\\r
or%0D
\n
-->\\n
or%0A
(
\r
,\n
was converted to space, so no problem.)The requirements for encoding
filename
inContent-Disposition
are described in RFC6266 and WhatWG html spec(multipart/form-data).RFC 6266 (section 5)
https://tools.ietf.org/html/rfc6266#section-5
What WG - html spec - multipart/form-data
https://html.spec.whatwg.org/#multipart-form-data
Golang also implements Content-Disposition escaping based on these requirements.
(This implementation is a
Content-Disposition
implementation formultipart/form-data
,so the situation is slightly different from the
HTTP Response
>Content-Disposition
in this issue.)https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144
Reference
RFC 6266 (section 5)
https://tools.ietf.org/html/rfc6266#section-5
What WG - html spec > multipart/form-data :
https://html.spec.whatwg.org/#multipart-form-data
OWASP ASVS (Related issue):
OWASP/ASVS#1390
Golang impliments:
https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144
Spring (Java) Impliments:
https://github.com/spring-projects/spring-framework/blob/4f8516e2c3ca420b1608840ab901bf9df7e4d5f1/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L594-L617
Symfony(PHP) Impliments:
https://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/HttpFoundation/HeaderUtils.php#L187-L189
This is my own article, but it summarizes the impact, etc. on this issue.
https://gist.github.com/motoyasu-saburi/1b19ef18e96776fe90ba1b9f910fa714
The text was updated successfully, but these errors were encountered: