File names are spoofable, can contain path characters and inject HTML

[74c6b4a5-b3ac-43cc-89c1-1bc1372fb97e]

about

by modifying the file name of a structure file, you can insert special characters like /, <, and > which usually cannot be in file names. this can do 2 things:

1. by putting ../, the structure file will get saved on the server to the root directory https://s3.us-east-2.amazonaws.com/structuralab.com. By putting more characters you can therefore write a structure file to anywhere in this folder. Trying to overwrite a previously existing structure file doesn't have any effect. I have only found it possible to upload .mcstructure files, fortunately not other file types.
2. when the item page is send to the client on line 481, it only escapes first-level dictionary keys, meaning that data["structureFiles"][structureName] in line 484 is not escaped and can contain HTML code. this means you can write any HTML to the page, such as one redirecting you to a Rickroll: "><script>location='https://www.youtube.com/watch?v=dQw4w9WgXcQ';</script>.mcstructure

demo

https://structuralab.com/eb789cae-4926-4feb-9d60-6ea3c4938b02/item3.html

how to recreate

on the upload page, enter an actual structure file into the input, and use the javascript to change the file name:

// in this example with the RickRoll  code again
payload=new File([fileUpload.files[0]], `"><script>location='https://www.youtube.com/watch?v=dQw4w9WgXcQ';</script>.mcstructure`);
dt=new DataTransfer;
dt.items.add(payload);
fileUpload.files=dt.files;

how to fix

add server-side url checking to remove / from file names escape potential HTML

[RavinMaddHatter]

Thanks I will fix it

On Mon, Oct 28, 2024, 3:21 AM 74c6b4a5-b3ac-43cc-89c1-1bc1372fb97e < @.***> wrote:

about

by modifying the file name of a structure file, you can insert special characters like /, <, and > which usually cannot be in file names. this can do 2 things:

1. by putting ../, the structure file will get saved on the server to the root directory https://s3.us-east-2.amazonaws.com/structuralab.com. By putting more characters you can therefore write a structure file to anywhere in this folder. Trying to overwrite a previously existing structure file doesn't have any effect. I have only found it possible to upload .mcstructure files, fortunately not other file types.
2. when the item page is send to the client on line 481 https://github.com/RavinMaddHatter/structuraWeb/blob/a85087b82452d27b89462dc0b3fd519facc918c3/Server/lambda_function.py#L481C18-L481C45, it only escapes first-level dictionary keys, meaning that data["structureFiles"][structureName] in line 484 is not escaped and can contain HTML code. this means you can write any HTML to the page, such as one redirecting you to a Rickroll: ">.mcstructure

demo

https://structuralab.com/eb789cae-4926-4feb-9d60-6ea3c4938b02/item3.html how to recreate

on the upload page, enter an actual structure file into the input, and use the javascript to change the file name:

// in this example with the RickRoll code againpayload=new File([fileUpload.files[0]], "><script>location='https://www.youtube.com/watch?v=dQw4w9WgXcQ';</script>.mcstructure);dt=new DataTransfer;dt.items.add(payload);fileUpload.files=dt.files;

how to fix

add server-side url checking to remove / from file names escape potential HTML

— Reply to this email directly, view it on GitHub https://github.com/RavinMaddHatter/structuraWeb/issues/2, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABBUC5AAIGJCVL5XN6CWXSLZ5YFZHAVCNFSM6AAAAABQXCGH5GVHI2DSMVQWIX3LMV43ASLTON2WKOZSGYYTOOJXGI3TCNI . You are receiving this because you are subscribed to this thread.Message ID: @.***>