CVE-2024-24752: Bref's Uploaded Files Not Deleted in Event-Driven Functions
(updated )
When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface
, then the Lambda event is converted to a PSR7 object.
During the conversion process, if the request is a MultiPart, each part is parsed and for each which contains a file, it is extracted and saved in /tmp
with a random filename starting with bref_upload_
.
The function implementing the logic follows:
private static function parseBodyAndUploadedFiles(HttpRequestEvent $event): array
{
$bodyString = $event->getBody();
$files = [];
$parsedBody = null;
$contentType = $event->getContentType();
if ($contentType !== null && $event->getMethod() === 'POST') {
if (str_starts_with($contentType, 'application/x-www-form-urlencoded')) {
parse_str($bodyString, $parsedBody);
} else {
$document = new Part("Content-type: $contentType\r\n\r\n" . $bodyString);
if ($document->isMultiPart()) {
$parsedBody = [];
foreach ($document->getParts() as $part) {
if ($part->isFile()) {
$tmpPath = tempnam(sys_get_temp_dir(), 'bref_upload_');
if ($tmpPath === false) {
throw new RuntimeException('Unable to create a temporary directory');
}
file_put_contents($tmpPath, $part->getBody());
$file = new UploadedFile($tmpPath, filesize($tmpPath), UPLOAD_ERR_OK, $part->getFileName(), $part->getMimeType());
self::parseKeyAndInsertValueInArray($files, $part->getName(), $file);
} else {
self::parseKeyAndInsertValueInArray($parsedBody, $part->getName(), $part->getBody());
}
}
}
}
}
return [$files, $parsedBody];
}
The flow mimics what plain PHP does but it does not delete the temporary files when the request has been processed.
References
- github.com/advisories/GHSA-x4hh-frx8-98r5
- github.com/brefphp/bref
- github.com/brefphp/bref/blob/2.1.12/src/Event/Http/Psr7Bridge.php
- github.com/brefphp/bref/commit/350788de12880b6fd64c4c318ba995388bec840e
- github.com/brefphp/bref/security/advisories/GHSA-x4hh-frx8-98r5
- nvd.nist.gov/vuln/detail/CVE-2024-24752
Detect and mitigate CVE-2024-24752 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →