Headline
CVE-2023-0610: Merge pull request from GHSA-mrqx-mjc4-vfh3 · wallabag/wallabag@5ac6b6b
Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.
@@ -22,8 +22,6 @@ public function dataForEachAnnotations() }
/** * Test fetching annotations for an entry. * * @dataProvider dataForEachAnnotations */ public function testGetAnnotations($prefixUrl) @@ -35,15 +33,7 @@ public function testGetAnnotations($prefixUrl) ->findOneByUserName(‘admin’); $entry = $em ->getRepository(‘WallabagCoreBundle:Entry’) ->findOneByUsernameAndNotArchived(‘admin’);
$annotation = new Annotation($user); $annotation->setEntry($entry); $annotation->setText(‘This is my annotation /o/’); $annotation->setQuote(‘content’);
$em->persist($annotation); $em->flush(); ->findByUrlAndUserId('http://0.0.0.0/entry1’, $user->getId());
if (‘annotations’ === $prefixUrl) { $this->logInAs(‘admin’); @@ -54,23 +44,44 @@ public function testGetAnnotations($prefixUrl)
$content = json_decode($this->client->getResponse()->getContent(), true); $this->assertGreaterThanOrEqual(1, $content[‘total’]); $this->assertSame($annotation->getText(), $content[‘rows’][0][‘text’]); }
// we need to re-fetch the annotation becase after the flush, it has been “detached” from the entity manager $annotation = $em->getRepository(‘WallabagAnnotationBundle:Annotation’)->findAnnotationById($annotation->getId()); $em->remove($annotation); $em->flush(); /** * @dataProvider dataForEachAnnotations */ public function testGetAnnotationsFromAnOtherUser($prefixUrl) { $em = $this->client->getContainer()->get(‘doctrine.orm.entity_manager’);
$otherUser = $em ->getRepository(‘WallabagUserBundle:User’) ->findOneByUserName(‘bob’); $entry = $em ->getRepository(‘WallabagCoreBundle:Entry’) ->findByUrlAndUserId('http://0.0.0.0/entry3’, $otherUser->getId());
if (‘annotations’ === $prefixUrl) { $this->logInAs(‘admin’); }
$this->client->request('GET’, $prefixUrl . ‘/’ . $entry->getId() . ‘.json’); $this->assertSame(200, $this->client->getResponse()->getStatusCode());
$content = json_decode($this->client->getResponse()->getContent(), true); $this->assertGreaterThanOrEqual(0, $content[‘total’]); }
/** * Test creating an annotation for an entry. * * @dataProvider dataForEachAnnotations */ public function testSetAnnotation($prefixUrl) { $em = $this->client->getContainer()->get(‘doctrine.orm.entity_manager’);
$user = $em ->getRepository(‘WallabagUserBundle:User’) ->findOneByUserName(‘admin’);
if (‘annotations’ === $prefixUrl) { $this->logInAs(‘admin’); } @@ -102,7 +113,7 @@ public function testSetAnnotation($prefixUrl) /** @var Annotation $annotation */ $annotation = $em ->getRepository(‘WallabagAnnotationBundle:Annotation’) ->findLastAnnotationByPageId($entry->getId(), 1); ->findLastAnnotationByUserId($entry->getId(), $user->getId());
$this->assertSame('my annotation’, $annotation->getText()); } @@ -195,8 +206,6 @@ public function testSetAnnotationWithQuoteTooLong($prefixUrl) }
/** * Test editing an existing annotation. * * @dataProvider dataForEachAnnotations */ public function testEditAnnotation($prefixUrl) @@ -243,8 +252,31 @@ public function testEditAnnotation($prefixUrl) }
/** * Test deleting an annotation. * * @dataProvider dataForEachAnnotations */ public function testEditAnnotationFromAnOtherUser($prefixUrl) { $em = $this->client->getContainer()->get(‘doctrine.orm.entity_manager’);
$otherUser = $em ->getRepository(‘WallabagUserBundle:User’) ->findOneByUserName(‘bob’); $entry = $em ->getRepository(‘WallabagCoreBundle:Entry’) ->findByUrlAndUserId('http://0.0.0.0/entry3’, $otherUser->getId()); $annotation = $em ->getRepository(‘WallabagAnnotationBundle:Annotation’) ->findLastAnnotationByUserId($entry->getId(), $otherUser->getId());
$headers = [‘CONTENT_TYPE’ => ‘application/json’]; $content = json_encode([ ‘text’ => 'a modified annotation’, ]); $this->client->request('PUT’, $prefixUrl . ‘/’ . $annotation->getId() . '.json’, [], [], $headers, $content); $this->assertSame(404, $this->client->getResponse()->getStatusCode()); }
/** * @dataProvider dataForEachAnnotations */ public function testDeleteAnnotation($prefixUrl) @@ -287,4 +319,40 @@ public function testDeleteAnnotation($prefixUrl)
$this->assertNull($annotationDeleted); }
/** * @dataProvider dataForEachAnnotations */ public function testDeleteAnnotationFromAnOtherUser($prefixUrl) { $em = $this->client->getContainer()->get(‘doctrine.orm.entity_manager’);
$otherUser = $em ->getRepository(‘WallabagUserBundle:User’) ->findOneByUserName(‘bob’); $entry = $em ->getRepository(‘WallabagCoreBundle:Entry’) ->findByUrlAndUserId('http://0.0.0.0/entry3’, $otherUser->getId()); $annotation = $em ->getRepository(‘WallabagAnnotationBundle:Annotation’) ->findLastAnnotationByUserId($entry->getId(), $otherUser->getId());
$user = $em ->getRepository(‘WallabagUserBundle:User’) ->findOneByUserName(‘admin’); $entry = $em ->getRepository(‘WallabagCoreBundle:Entry’) ->findOneByUsernameAndNotArchived(‘admin’);
if (‘annotations’ === $prefixUrl) { $this->logInAs(‘admin’); }
$headers = [‘CONTENT_TYPE’ => ‘application/json’]; $content = json_encode([ ‘text’ => 'a modified annotation’, ]); $this->client->request('DELETE’, $prefixUrl . ‘/’ . $annotation->getId() . '.json’, [], [], $headers, $content); $this->assertSame(404, $this->client->getResponse()->getStatusCode()); } }
Related news
### Impact The annotations feature lets users add annotations on highlighted parts of an entry. The controller does not validate authorization on `PUT` and `DELETE` requests which lets a logged user modify or delete any annotation using their ID on their endpoints `example.org/annotations/{id}`. These vulnerable requests also disclose highlighted parts of the entry to the attacker. You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration. ### Resolution A user check is now done in the vulnerable methods before applying change on an annotation. The Annotation retrieval through a `ParamConverter` has also been replaced with a call to the `AnnotationRepository` in order to prevent any information disclosure through response discrepancy. ### Workarounds ### Credits We would like to thank @bAuh0lz for reporting this issue through huntr.dev. Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20...