Skip to content

Vulnerability in /submit endpoint #42

Description

@22raor

/submit allows you to arbitrarily upload any file to the S3 storage, as long as you have ANY valid authorization token.

Steps to recreate:

  • Submit an application
  • Find your bearer token from the POST request
  • Run the following request
    curl -X POST \ -F "resume=@<FILENAME>" \ -F "userId=<USERID>" \ -H 'authorization: Bearer <TOKEN>' \ http://localhost:5000/api/applications/submit

Note that any user id is accepted, and any file path can be written to. File type/size is also not checked.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions