search

HumanSignal / label-studio

Label Studio is a multi-type data labeling and annotation tool with standardized output format
https://labelstud.io
Apache License 2.0
18.4k stars 2.31k forks source link

Found a possible security concern #2104

Open JamieSlome opened 2 years ago

JamieSlome commented 2 years ago

Hey there!

I belong to an open source security research community, and a member (@bapi011) has found an issue, but doesn’t know the best way to disclose it.

If not a hassle, might you kindly add a SECURITY.md file with an email, or another contact method? GitHub recommends this best practice to ensure security issues are responsibly disclosed, and it would serve as a simple instruction for security researchers in the future.

Thank you for your consideration, and I look forward to hearing from you!

(cc @huntr-helper)

JamieSlome commented 2 years ago

Just a heads up that we have tried sending the reports to your GitHub organization's e-mail.

You can also view the reports directly here:

https://www.huntr.dev/bounties/7cda26d7-964c-4e39-8352-b701950f14d8/ https://huntr.dev/bounties/e6a352e2-ceb9-42f8-9340-e1724f7629e7/ https://huntr.dev/bounties/0d38a1c8-3c4c-48ea-a1db-35582c1d2981/ https://huntr.dev/bounties/455dfc05-736e-4a15-999c-6c544bca9d80/ https://huntr.dev/bounties/2d2bf55f-17b1-4c0b-86f6-f09b3f2a5dbe/

They are private and only accessible to maintainers with repository write permissions 👍

makseq commented 2 years ago

Hi! Thank you for your exploration.

But the most of these issues are about file downloading on the server side. We can't disable these features. Maybe you have ideas how to fix it?

P.S. In our Enterprise version we have roles for users and only admins can use it, so I wouldn't say it's critical

Bapi011 commented 2 years ago

Hi! Thank you for your exploration.

But the most of these issues are about file downloading on the server side. We can't disable these features. Maybe you have ideas how to fix it?

P.S. In our Enterprise version we have roles for users and only admins can use it, so I wouldn't say it's critical

Hi @makseq, (cc @huntr-helper) (cc @JamieSlome)

It can affect admin users and by this attack, it can also be possible to take over the admin account I know you cant disable these features but I have ideas to fix this vulnerability so can you please validate those reports from huntr.dev so I can suggest the fix for all the reported vulnerabilities.

Note:- I haven't tested your Enterprise version but I am sure there will be a way to trigger this vulnerability.

Regards, Bapi @Bapi011

JamieSlome commented 2 years ago

@makseq - just following up on the above, any thoughts?

Bapi011 commented 2 years ago

Hi @makseq, (cc @huntr-helper) (cc @JamieSlome)

More than a month has passed since I reported and no proper response from your side so report will get disclose after 60 days

Thanks, Bapi @Bapi011