Skip to content

fix: service worker processes form data without inpu... in...#6852

Open
orbisai0security wants to merge 1 commit into
ChatGPTNextWeb:mainfrom
orbisai0security:fix-service-worker-file-upload-validation
Open

fix: service worker processes form data without inpu... in...#6852
orbisai0security wants to merge 1 commit into
ChatGPTNextWeb:mainfrom
orbisai0security:fix-service-worker-file-upload-validation

Conversation

@orbisai0security

Copy link
Copy Markdown

Summary

Fix high severity security issue in public/serviceWorker.js.

Vulnerability

Field Value
ID V-001
Severity HIGH
Scanner multi_agent_ai
Rule V-001
File public/serviceWorker.js:23
Assessment Likely exploitable

Description: Service worker processes form data without input validation, allowing attackers to upload malicious files with crafted extensions and content types. The code accepts any file extension and content type without validation.

Evidence

Exploitation scenario: An attacker who can submit form data to the service worker can upload files with malicious extensions (e.g., .html, .js) and content types that could be executed when served.

Scanner confirmation: multi_agent_ai rule V-001 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a web application - XSS and injection vulnerabilities can affect end users.

Changes

  • public/serviceWorker.js

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Security Invariant

Property: The security boundary is maintained under adversarial input

Regression test
const fs = require('fs');
const path = require('path');

describe("Service worker must validate file extensions and content types", () => {
  const payloads = [
    {
      name: "malicious_php_file",
      file: { name: "shell.php", type: "application/x-php", size: 100 },
      shouldReject: true
    },
    {
      name: "double_extension_bypass",
      file: { name: "image.jpg.php", type: "image/jpeg", size: 100 },
      shouldReject: true
    },
    {
      name: "null_byte_injection",
      file: { name: "test.jpg\0.php", type: "image/jpeg", size: 100 },
      shouldReject: true
    },
    {
      name: "valid_image",
      file: { name: "image.png", type: "image/png", size: 100 },
      shouldReject: false
    }
  ];

  test.each(payloads)("handles $name correctly", async ({ file, shouldReject }) => {
    // Import the actual service worker module
    const serviceWorkerPath = path.join(__dirname, '../public/serviceWorker.js');
    const serviceWorkerCode = fs.readFileSync(serviceWorkerPath, 'utf8');
    
    // Create a mock environment that mimics service worker context
    const mockCache = {
      put: jest.fn()
    };
    
    const mockCaches = {
      open: jest.fn().mockResolvedValue(mockCache)
    };
    
    const mockRequest = {
      formData: jest.fn().mockResolvedValue({
        getAll: () => [file]
      })
    };
    
    const mockUrl = {
      origin: 'http://localhost'
    };
    
    // Execute the upload function in isolated context
    const testCode = `
      ${serviceWorkerCode}
      return upload;
    `;
    
    const uploadFunction = eval(`(function() { ${testCode} })()`);
    
    try {
      await uploadFunction(mockRequest, mockUrl);
      
      // If we reach here and shouldReject is true, the test fails
      if (shouldReject) {
        expect(mockCache.put).not.toHaveBeenCalled();
      } else {
        expect(mockCache.put).toHaveBeenCalled();
      }
    } catch (error) {
      // If shouldReject is true and we get an error, that's expected
      if (!shouldReject) {
        throw error;
      }
      expect(error).toBeDefined();
    }
  });
});

This test guards against regressions — it's useful independent of the code change above.


Automated security fix by OrbisAI Security

Automated security fix generated by OrbisAI Security
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant