Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Vulnerability - Arbitrary File Download #67

Closed
arall opened this issue Oct 11, 2019 · 7 comments
Closed

Vulnerability - Arbitrary File Download #67

arall opened this issue Oct 11, 2019 · 7 comments

Comments

@arall
Copy link

arall commented Oct 11, 2019
edited
Loading

The following controller method is vulnerable to arbitrary file download:

public function download(Request $request, ResponseFactory $response): BinaryFileResponse
{
    $data = $this->validate($request, [
        'path'     => 'required',
        'filename' => 'required',
    ]);

    return $response->download(
        $data['path'],
        $data['filename']
    )->deleteFileAfterSend($shouldDelete = true);
}

(No authentication is needed)

Example Proof of Concept:

https://testdomain.local/nova-vendor/maatwebsite/laravel-nova-excel/download?path=/etc/passwd&filename=file.txt

I think generated files should be stored in storage/app/laravel-nova-excel (or something similar) and the controller must ensure that files are only fetched from that directory (preventing moving to parent by injecting ../ in the filename etc).

Perhaps changing the path parameter into file (and enforce previous checks) would be a solution.

Also, authentication must be required.
@patrickbrouwers
Copy link
Member

Thanks for reporting the issue. Would be awesome if you could PR a fix for that.

(Also, in future it's better to report security issues via mail or the security tab)

@arall
Copy link
Author

arall commented Oct 11, 2019

(Also, in future it's better to report security issues via mail or the security tab)

Sorry, but I don't have permissions to draft advisories and there is no security policy defined.

I might try to do a PR with the fixes later.

@patrickbrouwers
Copy link
Member

I thought you would be able to draft an advisory, that's weird. I've copied the security policy from Laravel Excel now. Thought it was already in place.

Thanks for looking into the PR!

@arall
Copy link
Author

arall commented Oct 14, 2019

I was trying to do the PR, but I think the package maatwebsite/excel is also involved (to define the path). Looking into it, I think it should use Laravel Filesystem, instead of its own implementation.

For the authentication, would be enough to add this method in the controller:

/**
 * Instantiate a new controller instance.
 *
 * @return void
 */
public function __construct()
{
    $this->middleware('auth');
}

Of course, this will force to be authenticated in Laravel Nova (I'm not sure if that will conflict any scenario).

@patrickbrouwers
Copy link
Member

@arall maatwebsite/excel does use laravel filesystem, however I think the personal who PR'd this did it like this, so he wouldn't have to clean-up after downloading (I believe)

Forced to be authenticated would be good I think.

@JoshOldenburg JoshOldenburg mentioned this issue Nov 18, 2019
Closed
@danigri84
Copy link

Given the lack of updates on this critical issue, we've forked the project and deployed our solution to https://github.com/pdmfc/Laravel-Nova-Excel

@patrickbrouwers
Copy link
Member

Fixed in next release

@SpartnerNL SpartnerNL deleted a comment from mavisGG Dec 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@arall @patrickbrouwers @danigri84