`NextGenCore::tokenURI` is vulnerable to JSON injection

[c4-submissions]

Lines of code

https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/NextGenCore.sol#L343-L357 https://github.com/code-423n4/2023-10-nextgen/blob/8b518196629faa37eae39736837b24926fd3c07c/hardhat/smart-contracts/NextGenCore.sol#L131-L138

Vulnerability details

Impact

Once NFT is minted anyone can trigger NextGenCore::tokenURI to retrieve JSON data with the details and generated svg image. The issue is that function NextGenCore::tokenURI is vulnerable to JSON injection and it is possible to inject characters into the collection fields that would completely alter the integrity of JSON data.

This could lead to issues like incorrect data display and security issues. Some examples of the attacks that can be carried:

• Attacker might create a GenCore NFT collection that mimics copies the name of different GenCore NFT collection.
• Attacker might change the generated svg image to completely different one.
• Attacker might point image to external URL.
• Attacker might trigger cross-site scripting attacks if the data from JSON is not properly handled.

Proof of Concept

A scenario where the collection name is submitted as the following : Cool Token" }, { "extra": "injected data

Intended JSON structure :

{
  "name": "Cool Token",
}

JSON structure with the problematic input

{
  "name": "Cool Token" }, { "extra": "injected data",
}

In this altered JSON, the input has broken out of the name field and added an entirely new object ({ "extra": "injected data") to the JSON.

Tools Used

Manual review

Recommended Mitigation Steps

It is recommended to properly encode collections data to make sure it cannot alter returned JSON data.

Assessed type

Other

[c4-pre-sort]

141345 marked the issue as duplicate of #1284

[c4-judge]

alex-ppg marked the issue as unsatisfactory: Out of scope