GHSA-xg8v-m2mh-45m6: PsiTransfer: Violation of the integrity of file distribution

Summary The absence of restrictions on the endpoint, which allows you to create a path for uploading a file in a file distribution, allows an attacker to add arbitrary files to the distribution.

Details Vulnerable endpoint: POST /files

PoC

1. Create a file distribution. <img width="1434" alt="Снимок экрана 2024-03-17 в 21 27 30" src="https://github.com/psi-4ward/psitransfer/assets/163760990/4634a6f7-6e7d-486e-9929-76156aaa1340">

2. Go to the link address (id of the file distribution is needed by an attacker to upload files there). <img width="1426" alt="Снимок экрана 2024-03-17 в 21 27 35" src="https://github.com/psi-4ward/psitransfer/assets/163760990/a57c910c-69e2-4b07-985d-b0a46c69891a">

3. Send a POST /files. As the value of the Upload-Metadata header we specify the sid parameter with the id of the file distribution obtained in the second step. In the response from the server in the Location header we get the path for uploading a new file to the file distribution. <img width="1403" alt="Снимок экрана 2024-03-17 в 21 28 09" src="https://github.com/psi-4ward/psitransfer/assets/163760990/8b839fb8-2c0b-432f-8503-e4c42a840056">

4. Send a PATCH /files/{{id}} request with arbitrary content in the request body. Id is taken from the previous step. <img width="1067" alt="Снимок экрана 2024-03-17 в 21 28 51" src="https://github.com/psi-4ward/psitransfer/assets/163760990/c5b2acf3-fdf1-4780-8c63-61a7f19338df">

Result: <img width="1432" alt="Снимок экрана 2024-03-17 в 21 29 05" src="https://github.com/psi-4ward/psitransfer/assets/163760990/c49b17c8-e1d2-4894-b6e2-f50b9663fca7"> <img width="1424" alt="Снимок экрана 2024-03-17 в 21 29 15" src="https://github.com/psi-4ward/psitransfer/assets/163760990/e4a1e07d-3e77-4f61-a4e7-ceee4a5a7b8e">

Impact The vulnerability allows an attacker to influence those users who come to the file distribution after him and slip the victim files with a malicious or phishing signature.