validators=[validate_file_extension] not working on ticket attachment
See original GitHub issueHI, I’m trying to fix the bug of uploading arbitrary attachments on a ticket. That resulted in the Stored XSS vulnerability being disclosure at: https://huntr.dev/bounties/4d7a5fdd-b2de-467a-ade0-3f2fb386638e/
When uploading attachments, the application will call def process_attachments
then call class FollowUpAttachment
https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/lib.py#L131-L148
https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/models.py#L1087
These parameters will be passed to the class Attachment
. And at file
it must be checked by validators=[validate_file_extension]
https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/models.py#L1017-L1029
https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/validators.py#L7-L15
But somehow it got through and resulted in being able to upload arbitrary attachments.
Can someone help me with this issue?
Issue Analytics
- State:
- Created 2 years ago
- Comments:6 (5 by maintainers)
Top GitHub Comments
I believe the issue is that in the
process_attachments
function, theFollowUpAttachment
instance is only saved in database and that doesn’t trigger the validators : https://github.com/django-helpdesk/django-helpdesk/blob/91b37f6d73e31dc312c8e3a54b9578b0a0851624/helpdesk/lib.py#L148The fix should be as simple as adding
att.full_clean()
before saving.More information in this stackoverflow answer.
This was addressed in #984 and will get included in the 0.3.1 bugfix release. Thanks! I’m going to close this to help me triage tickets.