Headline
CVE-2021-41277: GeoJSON URL validation fix (#17990) · metabase/metabase@042a36e
Metabase is an open source data analytics platform. In affected versions a security issue has been discovered with the custom GeoJSON map (admin->settings->maps->custom maps->add a map) support and potential local file inclusion (including environment variables). URLs were not validated prior to being loaded. This issue is fixed in a new maintenance release (0.40.5 and 1.40.5), and any subsequent release after that. If you’re unable to upgrade immediately, you can mitigate this by including rules in your reverse proxy or load balancer or WAF to provide a validation filter before the application.
Expand Up
@@ -100,10 +100,18 @@
(testing “test the endpoint that fetches JSON files given a URL”
(is (= {:type “Point”
:coordinates [37.77986 -122.429]}
((mt/user->client :rasta) :get 200 “geojson” :url test-geojson-url))))
((mt/user->client :crowberto) :get 200 “geojson” :url test-geojson-url))))
(testing “error is returned if URL connection fails”
(is (= “GeoJSON URL failed to load”
((mt/user->client :rasta) :get 400 “geojson” :url test-broken-geojson-url))))))
((mt/user->client :crowberto) :get 400 “geojson” :url test-broken-geojson-url))))
(testing “error is returned if URL is invalid”
(is (= (str "Invalid GeoJSON file location: must either start with http:// or https:// or be a relative path to "
"a file on the classpath. URLs referring to hosts that supply internal hosting metadata are "
“prohibited.”)
((mt/user->client :crowberto) :get 400 “geojson” :url “file://tmp”))))
(testing “cannot be called by non-admins”
(is (= “You don’t have permissions to do that.”
((mt/user->client :rasta) :get 403 “geojson” :url test-geojson-url))))))
(deftest key-proxy-endpoint-test
(testing “GET /api/geojson/:key”
Expand All
@@ -120,9 +128,9 @@
(is (= {:type “Point”
:coordinates [37.77986 -122.429]}
(client/client :get 200 “geojson/middle-earth”))))
(testing “try fetching an invalid key; should fail”
(is (= “Invalid custom GeoJSON key: invalid-key”
((mt/user->client :rasta) :get 400 “geojson/invalid-key”)))))
(testing “try fetching an invalid key; should fail”
(is (= “Invalid custom GeoJSON key: invalid-key”
((mt/user->client :rasta) :get 400 “geojson/invalid-key”)))))
(mt/with-temporary-setting-values [custom-geojson test-broken-custom-geojson]
(testing “fetching a broken URL should fail”
(is (= “GeoJSON URL failed to load”
Expand Down
Related news
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a