Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

validators=[validate_file_extension] not working on ticket attachment

See original GitHub issue

HI, I’m trying to fix the bug of uploading arbitrary attachments on a ticket. That resulted in the Stored XSS vulnerability being disclosure at: https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e/

When uploading attachments, the application will call def process_attachments then call class FollowUpAttachment https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/lib.py#L131-L148 https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/models.py#L1087

These parameters will be passed to the class Attachment. And at file it must be checked by validators=[validate_file_extension] https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/models.py#L1017-L1029 https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/validators.py#L7-L15 But somehow it got through and resulted in being able to upload arbitrary attachments. image

Can someone help me with this issue?

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:6 (5 by maintainers)

github_iconTop GitHub Comments

2reactions
Benbb96commented, Nov 17, 2021

I believe the issue is that in the process_attachments function, the FollowUpAttachment instance is only saved in database and that doesn’t trigger the validators : https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/lib.py#L148

The fix should be as simple as adding att.full_clean() before saving.
More information in this stackoverflow answer.

0reactions
gwassercommented, Nov 18, 2021

This was addressed in #984 and will get included in the 0.3.1 bugfix release. Thanks! I’m going to close this to help me triage tickets.

Read more comments on GitHub >

github_iconTop Results From Across the Web

File attachment extension validation · Issue #2872 - GitHub
For the end user facing page, this function appears to load the configured allowable mime types and extensions just fine. On the ticket...
Read more >
How to validate a file extension in the File Attachments module
Hello Bunty,. You can use the Validation Module with RuleRegularExpression to validate the FileData.FileName property value: Validation Rules.
Read more >
Validation of file extension before uploading file - Stack Overflow
I am using Javascript and jQuery in client side. Update: I was finally ended up with server side validation which reads bytes &...
Read more >
Error message received when attempting to add attachment to ...
It's probable that the extension of the file which the user is attempting to attach to the record is not on the configured...
Read more >
How to Validate File Type, while attaching to case
Approach: - "pxAttachName" property contains name the of the file attached. Call a validate rule on this and check for the extension. Or...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Preventing empty strings from being sent to Solr unnecessary?

Next page

Redundant cc code in email.py?