search

OWASP / Serverless-Goat

OWASP ServerlessGoat: a serverless application demonstrating common serverless security flaws
GNU Affero General Public License v3.0
319 stars 95 forks source link

Covert Doc to Text error #4

Closed mendickxiao closed 5 years ago

mendickxiao commented 5 years ago

I created an application by the code directly, and run the application to test. In the URL field of the form, enter the following value in the URL field: https://www.puresec.io/hubfs/document.doc - this legitimate URL will return the converted text of the document

The page is error: Error: Command failed: curl --silent -L https://www.puresec.io/hubfs/document.doc | ./bin/catdoc - /bin/sh: ./bin/catdoc: Permission denied

at checkExecSyncError (child_process.js:601:13)
at Object.execSync (child_process.js:641:13)
at exports.handler (/var/task/index.js:29:29)
at <anonymous>
at process._tickDomainCallback (internal/process/next_tick.js:228:7)
mendickxiao commented 5 years ago

get the code from master branch. https://github.com/OWASP/Serverless-Goat.git

0xh0b0 commented 5 years ago

@mendickxiao Thanks for submitting the bug report. Please try to deploy the updated version of the app.

mendickxiao commented 5 years ago

It is fixed, thanks your quick update.

mendickxiao commented 5 years ago

hello sir, I get the master branch, latest code, the issue is recurred. But it is stranged, I cannot run it in the API, but I can get some data from the APIGateway Test Interface.

https://8bxg013urf.execute-api.us-east-1.amazonaws.com/api/convert?document_url=https%3A%2F%2Ffoobar%3B+cat+%2Fvar%2Ftask%2Findex.js+%23

{"message":"Forbidden"}