Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

lack of escaping of filename in content-disposition FileAttachment() is vulnerable to Reflect File Download #1621

Closed
1 task done
sufatmawati opened this issue May 13, 2024 · 0 comments · Fixed by #1620
Closed
1 task done
Labels

Comments

@sufatmawati
Copy link
Contributor

sufatmawati commented May 13, 2024

Describe the bug
The filename parameter of the Context.FileAttachment function is not properly sanitized. A maliciously crafted filename can cause the Content-Disposition header to be sent with an unexpected filename value or otherwise modify the Content-Disposition header. For example, a filename of "setup.bat";x=.txt" will be sent as a file named "setup.bat". If the FileAttachment function is called with names provided by an untrusted source, this may permit an attacker to cause a file to be served with a name different than provided. Maliciously crafted attachment file name can modify the Content-Disposition header.

pull-request for patched the vulnerable on #1620

func (c *Context) FileAttachment(filepath, filename string) {
	if isASCII(filename) {
		c.Writer.Header().Set("Content-Disposition", `attachment; filename="`+filename+`"`)
package main

import (
  "github.com/gin-gonic/gin"
  "go.elastic.co/apm/v2"
)

func main() {
  r := gin.Default()
  r.GET("/download", func(c *gin.Context) {
    dir := "/Users/{CHANGE_PROJECT_DIRECTRY}/"

    // Although the file name is hard-coded, we assume that the file name is actually determined by the DB or user input.
    filename := "malicious.sh\";dummy=.txt"
    c.FileAttachment(dir + filename, filename)
  })
  r.Run()
}
HTTP/1.1 304 Not Modified
Content-Disposition: attachment; filename="malicious.sh";dummy=.txt"
Date: Wed, 20 Jul 2022 11:17:43 GMT

Content-Disposition: attachment; filename="malicious.sh";dummy=.txt"

CWE-494
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Tasks

  1. agent-go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
1 participant