Impact
The gRPC requests are weakly validated, and some requests’ fields are not validated at all.
For example, the ImportTaskRequest’s url_meta field is not validated and may be missing from a request . Sending requests to the ImportTask endpoint triggers the code shown in figure 14.3. The highlighted call to the logger accesses the req.UrlMeta.Tag variable, causing a nil dereference panic (because the req.UrlMeta variable is nil).
s.Keep()
peerID := idgen.PeerIDV1(s.peerHost.Ip)
taskID := idgen.TaskIDV1(req.Url, req.UrlMeta)
log := logger.With("function", "ImportTask", "URL", req.Url, "Tag", req.UrlMeta.Tag,
"taskID", taskID, "file", req.Path)Another example of weak validation can be observed in the definition of the UrlMeta request. The digest field of the request should contain a prefix followed by an either MD5 or SHA256 hex-encoded hash. While prefix and hex-encoding is validated, length of the hash is not. The length is validated only during the parsing.
// UrlMeta describes url meta info.
message UrlMeta {
// Digest checks integrity of url content, for example md5:xxx or sha256:yyy.
string digest = 1 [(validate.rules).string = {pattern:
"^(md5)|(sha256):[A-Fa-f0-9]+$", ignore_empty:true}];Patches
- Dragonfy v2.1.0 and above.
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.
Impact
The gRPC requests are weakly validated, and some requests’ fields are not validated at all.
For example, the ImportTaskRequest’s url_meta field is not validated and may be missing from a request . Sending requests to the ImportTask endpoint triggers the code shown in figure 14.3. The highlighted call to the logger accesses the req.UrlMeta.Tag variable, causing a nil dereference panic (because the req.UrlMeta variable is nil).
Another example of weak validation can be observed in the definition of the UrlMeta request. The digest field of the request should contain a prefix followed by an either MD5 or SHA256 hex-encoded hash. While prefix and hex-encoding is validated, length of the hash is not. The length is validated only during the parsing.
Patches
Workarounds
There are no effective workarounds, beyond upgrading.
References
A third party security audit was performed by Trail of Bits, you can see the full report.
If you have any questions or comments about this advisory, please email us at dragonfly-maintainers@googlegroups.com.