Lack of User Input Sanitation When Creating Markets

[hats-bug-reporter[bot]]

Github username: @saidqayoumsadat Twitter username: S2AQ143 Submission hash (on-chain): 0xdd2f1f9c365bd8c3c15576d7cc51fe9cecea2e1b744750131bbb6842b083bb93 Severity: medium

Description:

Description

When user create market user specifiy the params.marketName there is insufficient input validation on Market::_marketName allows user inputs to exposing the system to potential malicious activities. In such cases, an attacker may exploit this weakness by injecting malicious input, leading to various security risks, including but not limited to code injection, SQL injection, or other forms of attacks that manipulate the application’s intended behavior.

Proof of Concept:

MarketFactory did not validate properly the params.marketName field in the create-market, allowing values with malicious payloads, like empty links, XSS payloads and other injection payloads.

    function createMultiCategoricalMarket(CreateMarketParams calldata params) external returns (address) {
        require(params.outcomes.length >= 2, "Outcomes count must be 2 or more");

        string[] memory encodedQuestions = new string[](1);
        encodedQuestions[0] = encodeRealityQuestionWithOutcomes(params.marketName, params.outcomes, params.category, params.lang);

        return createMarket(
            params,
@>>            params.marketName,
            InternalMarketConfig({
                encodedQuestions: encodedQuestions,
                outcomeSlotCount: params.outcomes.length + 1, // additional outcome for Invalid Result.
                templateId: REALITY_MULTI_SELECT_TEMPLATE
            })
        );
    }

    function createMarket(
        CreateMarketParams memory params,
        string memory marketName,
        InternalMarketConfig memory config 
    ) internal returns (address) {

        (Market.ConditionalTokensParams memory conditionalTokensParams, Market.RealityParams memory realityParams) = createNewMarketParams(params, config);

        Market instance = Market(market.clone());

        instance.initialize(
@>>            marketName,
            params.outcomes,
            params.lowerBound,
            params.upperBound,
            conditionalTokensParams,
            realityParams,
            realityProxy
        );

However, it is important to not allow this kind of dangerous characters and payloads to be configured by users.

Impact

Allow malicious user to input malicious injection without any sanitization.

Recommendation

• Input Validation: Implement robust input validation mechanisms to ensure that user inputs adhere to expected formats and constraints.

• Utilize server-side validation as the primary line of defense against malicious input.

• Output Encoding: Apply proper output encoding techniques to sanitize user inputs before rendering them in the user interface. This helps prevent cross-site scripting (XSS) attacks by neutralizing potentially harmful scripts.

[greenlucid]

The markets will be curated with an external tool (Curate) and the user won't get exposed to unvalidated markets.

[saidqayoumsadat]

The markets will be curated with an external tool (Curate) and the user won't get exposed to unvalidated markets.

While the external curation tool (Curate) might reduce the exposure of the public to unvalidated markets, it doesn’t eliminate the core issue. The root of the vulnerability—insufficient validation of user input—still resides within the protocol itself. This could lead to future bugs or security loopholes in areas not strictly tied to user interface exposure.

[clesaege]

The sanitization is done by the frontend. See this example: https://seer-pm.netlify.app/#/markets/100/0xF186e4a7b960c80b0e52426b532dD5A1A68e7105/

[saidqayoumsadat]

@clesaege but the frontend is simply bypass by some proxies like burp suite if you know that tool.

[clesaege]

Can you show an example?