GHSA-96pq-hxpw-rgh8

Summary

• The save_images_Asset graphql mutation allows a user to give a url of an image to download. (Url must use a domain, not a raw IP.)
• Attacker sets up domain attacker.domain with an A record of something like 169.254.169.254 (special AWS metadata IP)
• Attacker invokes save_images_Asset with url: http://attacker.domain/latest/meta-data/iam/security-credentials and filename "foo.txt"
• Craft fetches sensitive information on attacker's behalf, and makes it available for download at /assets/images/foo.txt
• Normal checks to verify that image is valid are bypassed because of .txt extension
• Normal checks to verify that url is not an IP address are bypassed because user provided a valid domain that resolves to a sensitive internal IP address

Details

handleUpload() in src/gql/resolvers/mutations/Assets.php contains the code that processes the save_images_Asset mutation.

It has some basic validation logic for the url parameter (source of the image) and filename parameter (what to save image as):

   } elseif (!empty($fileInformation['url'])) {
            $url = $fileInformation['url'];

            // make sure the hostname is alphanumeric and not an IP address
            $hostname = parse_url($url, PHP_URL_HOST);
            if (
                !filter_var($hostname, FILTER_VALIDATE_DOMAIN, FILTER_FLAG_HOSTNAME) ||
                filter_var($hostname, FILTER_VALIDATE_IP)
            ) {
                throw new UserError("$url contains an invalid hostname.");
            }

            if (empty($fileInformation['filename'])) {
                $filename = AssetsHelper::prepareAssetName(pathinfo(UrlHelper::stripQueryString($url), PATHINFO_BASENAME));
            } else {
                $filename = AssetsHelper::prepareAssetName($fileInformation['filename']);
            }

            $extension = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
            if (is_array($allowedExtensions) && !in_array($extension, $allowedExtensions,...