a couple of vulnerabilities were detected

ctf0 · ctf0 · commit b2126e12776c · 2021-02-24T07:21:24.000+02:00
- Server-Side Request Forgery (SSRF) in Upload image from URL.  "CVE-2021-27566"
- Bypass Unrestricted File Upload. "CVE-2021-27567"
diff --git a/README.md b/README.md
@@ -85,7 +85,7 @@
     + using the upload panel
     + drag & drop anywhere
     + click & hold on an empty area **"items container"**
-    + from a url
+    + from a url **"images only"**
 - [preview files before uploading](https://github.com/ctf0/Laravel-Media-Manager/wiki/Preview-Files-Before-Uploading)
 - toggle between `random/original` names for uploaded files
 - [asynchronous Updates](https://github.com/ctf0/Laravel-Media-Manager/wiki/Async-Update-The-Manager)
diff --git a/src/App/Controllers/MediaController.php b/src/App/Controllers/MediaController.php
@@ -42,6 +42,7 @@ class MediaController extends Controller
     protected $storageDisk;
     protected $storageDiskInfo;
     protected $unallowedMimes;
+    protected $unallowedExt;
 
     public function __construct()
     {
@@ -53,6 +54,7 @@ public function __construct()
         $this->folderChars      = $config['allowed_folderNames_chars'];
         $this->sanitizedText    = $config['sanitized_text'];
         $this->unallowedMimes   = $config['unallowed_mimes'];
+        $this->unallowedExt     = $config['unallowed_ext'];
         $this->LMF              = $config['last_modified_format'];
         $this->GFI              = $config['get_folder_info']   ?? true;
         $this->paginationAmount = $config['pagination_amount'] ?? 50;
diff --git a/src/App/Controllers/Modules/Upload.php b/src/App/Controllers/Modules/Upload.php
@@ -43,7 +43,14 @@ public function upload(Request $request)
                     // check for mime type
                     if (Str::contains($file_type, $this->unallowedMimes)) {
                         throw new Exception(
-                            trans('MediaManager::messages.not_allowed_file_ext', ['attr' => $file_type])
+                            trans('MediaManager::messages.not_allowed_file_ext')
+                        );
+                    }
+
+                    // check for extension
+                    if (Str::contains($ext_only, $this->unallowedExt)) {
+                        throw new Exception(
+                            trans('MediaManager::messages.not_allowed_file_ext')
                         );
                     }
 
@@ -59,9 +66,9 @@ public function upload(Request $request)
 
                     // fire event
                     event('MMFileUploaded', [
-                        'file_path'  => $full_path,
-                        'mime_type'  => $file_type,
-                        'options'    => $file_options,
+                        'file_path' => $full_path,
+                        'mime_type' => $file_type,
+                        'options'   => $file_options,
                     ]);
 
                     $broadcast = true;
@@ -122,8 +129,17 @@ public function uploadEditedImage(Request $request)
                     );
                 }
 
+                // data is valid
+                try {
+                    $data = base64_decode($data);
+                } catch (\Throwable $th) {
+                    throw new Exception(
+                        trans('MediaManager::messages.error.no_file')
+                    );
+                }
+
                 // save file
-                $this->storageDisk->put($destination, base64_decode($data));
+                $this->storageDisk->put($destination, $data);
 
                 // fire event
                 event('MMFileSaved', [
@@ -182,10 +198,12 @@ public function uploadLink(Request $request)
             $file_type   = image_type_to_mime_type(@exif_imagetype($url));
 
             try {
+                $ignore = array_merge($this->unallowedMimes, ['application/octet-stream']);
+
                 // check for mime type
-                if (Str::contains($file_type, $this->unallowedMimes)) {
+                if (Str::contains($file_type, $ignore)) {
                     throw new Exception(
-                        trans('MediaManager::messages.not_allowed_file_ext', ['attr' => $file_type])
+                        trans('MediaManager::messages.not_allowed_file_ext')
                     );
                 }
 
@@ -196,8 +214,17 @@ public function uploadLink(Request $request)
                     );
                 }
 
+                // data is valid
+                try {
+                    $data = file_get_contents($url);
+                } catch (\Throwable $th) {
+                    throw new Exception(
+                        trans('MediaManager::messages.error.no_file')
+                    );
+                }
+
                 // save file
-                $this->storageDisk->put($destination, file_get_contents($url));
+                $this->storageDisk->put($destination, $data);
 
                 // fire event
                 event('MMFileSaved', [
@@ -218,7 +245,7 @@ public function uploadLink(Request $request)
             } catch (Exception $e) {
                 $result = [
                     'success' => false,
-                    'message' => "\"$file_name\" " . $e->getMessage(),
+                    'message' => $e->getMessage(),
                 ];
             }
         } else {
diff --git a/src/config/mediaManager.php b/src/config/mediaManager.php
@@ -45,6 +45,12 @@
      */
     'unallowed_mimes' => ['php', 'java'],
 
+    /*
+     * disallow uploading files with the following extensions
+     * https://en.wikipedia.org/wiki/List_of_filename_extensions
+     */
+    'unallowed_ext' => ['php', 'jav', 'py'],
+
     /*
      * extra mime-types
      */
diff --git a/src/resources/lang/en/messages.php b/src/resources/lang/en/messages.php
@@ -117,6 +117,7 @@
         'moving'         => 'There Seems To Be A Problem Moving This File/Folder, Make Sure You Have The Correct Permissions',
         'moving_cloud'   => 'Cloud Folders Can\'t Be "Renamed, Moved Or Copied"',
         'move_into_self' => 'Folder Can\'t Be "Moved Or Copied" Into It Self',
+        'no_file'        => 'No File To Upload',
     ],
     'filter' => [
         'main'       => 'Filter',
@@ -153,7 +154,7 @@
     'no_files_in_folder'   => 'No Files In This Folder',
     'no_val'               => 'Maybe You Should Add Something First !!!',
     'non'                  => 'Non',
-    'not_allowed_file_ext' => 'Files Of Type ":attr" Are Not Allowed',
+    'not_allowed_file_ext' => 'File Type Is Not Allowed',
     'nothing_found'        => 'Nothing Found',
     'open'                 => 'Open',
     'pdf'                  => 'Your Browser Does Not Support Pdfs, Please Download The Pdf To View It',
