Merge pull request #336 from Workable/PROD-30208_fix-porssible-ssrf-a…

…ttack-on-s3-url [PROD-30208] - add check on s3 url for @ after domain to prevent security risks
Workable · Sep 21, 2023 · 85fcb4b · 85fcb4b
2 parents e830958 + 681add6
commit 85fcb4b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 2 deletions.
diff --git a/src/initializers/joi.ts b/src/initializers/joi.ts
@@ -190,7 +190,8 @@ const Joi: JoiWithExtensions = _Joi.extend(
           }
         ],
         validate(value, helpers, {bucket}) {
-          if (!isOwnS3Path(bucket, value)) {
+          const { hostname, protocol, pathname} = new URL(value);
+          if (!isOwnS3Path(bucket, `${protocol}//${hostname}${pathname}`)) {
             return helpers.error('string.notInS3');
           }
           return value;

diff --git a/test/initializers/joi.test.ts b/test/initializers/joi.test.ts
@@ -119,8 +119,22 @@ describe('joi extensions', function () {
       should(underTest.error).be.undefined();
       underTest.value.should.equal(url);
     });
+    it('s3 url with @ after domain should throw error', function () {
+      const urls = [
+          'https://[email protected]/tmp/123-456-789',
+          'https://[email protected]/tmp/123-456-789',
+          'https://application-form.s3.amazonaws.com@joecup/tmp/123-456-789',
+          'https://application-form.s3.amazonaws.com@hello',
+          'https://application-form.s3.amazonaws.com@4nsex02yymx4wzjzc0ljcmsar1xsli97.oastify.com'
+      ];
+      urls.forEach(url => {
+        const underTest = Joi.urlInOwnS3()
+            .bucket('application-form')
+            .validate(url);
+        underTest.error.message.should.equal('Invalid path provided');
+      });
+    });
   });
-
   describe('url', function () {
     it('rejects URLs with less than two domain fragments', function () {
       Joi.url().validate('https://foo').error.message.should.equal('"value" must contain a valid domain name');