The artpiece content is only validated for the length. Due To the fact that creating a new piece would only cost gas and there is no additional fees. It is possible for attackers to flood the system with malicious content. And if on the sites that will showcase the nft there is no sufficient formatting when showcasing the NFT. This could lead to the malicious user executing malicious javascript code on the victim (the user who opened the website) and potentially also interacting with the victims wallet.
Proof of Concept
The ArtpieceMetadata is only validated for it's content length.
Meaning it is possible to store any nft with malicious content on the smart contract
function validateMediaType(ArtPieceMetadata calldata metadata) internal pure {
require(uint8(metadata.mediaType) > 0 && uint8(metadata.mediaType) <= 5, "Invalid media type");
if (metadata.mediaType == MediaType.IMAGE)
require(bytes(metadata.image).length > 0, "Image URL must be provided");
else if (metadata.mediaType == MediaType.ANIMATION)
require(bytes(metadata.animationUrl).length > 0, "Animation URL must be provided");
else if (metadata.mediaType == MediaType.TEXT)
require(bytes(metadata.text).length > 0, "Text must be provided");
}
Example malicious content:
<script> alert("XSS") </script>
Tools Used
.
Recommended Mitigation Steps
We could recommend checking for a maximum length of the stored content and also may be sanitizing the Artpiece Metadata content
Example
function sanitizeString(input) {
// Replace characters that have special meaning in HTML
const sanitizedString = input.replace(/</g, "<").replace(/>/g, ">");
// Additional sanitation steps based on your specific needs
return sanitizedString;
}
Lines of code
https://github.com/code-423n4/2023-12-revolutionprotocol/blob/d42cc62b873a1b2b44f57310f9d4bbfdd875e8d6/packages/revolution/src/CultureIndex.sol#L159-#L168
Vulnerability details
Impact
The artpiece content is only validated for the length. Due To the fact that creating a new piece would only cost gas and there is no additional fees. It is possible for attackers to flood the system with malicious content. And if on the sites that will showcase the nft there is no sufficient formatting when showcasing the NFT. This could lead to the malicious user executing malicious javascript code on the victim (the user who opened the website) and potentially also interacting with the victims wallet.
Proof of Concept
The ArtpieceMetadata is only validated for it's content length. Meaning it is possible to store any nft with malicious content on the smart contract
Example malicious content:
Tools Used
.
Recommended Mitigation Steps
We could recommend checking for a maximum length of the stored content and also may be sanitizing the Artpiece Metadata content Example
Assessed type
Invalid Validation