Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug]: Unauthorized Access to /uploads Exposing Images Publicly #3694

Open
1 task done
hadran9 opened this issue Feb 18, 2024 · 6 comments
Open
1 task done

[bug]: Unauthorized Access to /uploads Exposing Images Publicly #3694

hadran9 opened this issue Feb 18, 2024 · 6 comments
Assignees
@srinivaspendem
Labels
🐛bug Something isn't working

Comments

@hadran9
Copy link

hadran9 commented Feb 18, 2024

Is there an existing issue for this?

  • I have searched the existing issues

Current behavior

This issue requires urgent attention due to its potential security implications.

Upon navigating to the /upload endpoint, it has come to my attention that all images are publicly accessible without the necessity for user authentication.

Screenshot_40

The exposure of these images could potentially be linked to the public status of some projects, or it may be a default behavior across all Plane projects. This issue warrants immediate attention as it poses a significant information disclosure vulnerability.

This issue has been previously reported in issue #2252, dating back to September, but it appears to have been left unresolved.

Steps to reproduce

  1. Navigate to the /upload endpoint.
  2. Observe that all images are publicly accessible without the necessity for user authentication.

Browser

Google Chrome

Version

Self-hosted
@hadran9 hadran9 added the 🐛bug Something isn't working label Feb 18, 2024
@hadran9 hadran9 assigned ghost and srinivaspendem Feb 18, 2024
@srinivaspendem
Copy link
Collaborator

Hi @hadran9, thank you for reporting this. We are already working on it as a priority. We will keep you posted on the update.

@pablohashescobar
Copy link
Collaborator

@hadran9, this has been fixed in the latest release. Let us know if you are still facing the issue.

@hadran9
Copy link
Author

hadran9 commented Feb 19, 2024

Hello @srinivaspendem and @pablohashescobar,
I appreciate your prompt responses. I didn't realize that this was addressed in the latest version. I'll update my clone of the plane and get back to you. However, wouldn't it be beneficial to close #2252 with a comment to prevent similar issues from being raised in the future?

@hadran9
Copy link
Author

hadran9 commented Feb 27, 2024

@srinivaspendem and @pablohashescobar,
I have successfully completed the upgrade and can confirm that the previous issue with exposed information at the /upload endpoint has been resolved.

However, during the upgrade, I encountered a new issue, as shown in the attached screenshot.

image

When attempting to open the image via its URL, I encountered the following:

Screenshot_47

This issue seems to affect only the old images. New images that I upload do not encounter this problem.

Could you please provide some insight into this? Should I create a new ticket for this issue?

@pablohashescobar
Copy link
Collaborator

@hadran9, this would be the images that were uploaded before you changed the WEB_URL. We are aware of this bug and working on a fix.

@hadran9
Copy link
Author

hadran9 commented Mar 5, 2024
edited

@pablohashescobar Given that the current issue has been resolved, I will proceed to close it. However, is there any other open issues for the old images that are not functioning correctly after the upgrade?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@srinivaspendem srinivaspendem

Labels
🐛bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@srinivaspendem @hadran9 @pablohashescobar