Project avatar resource vulnerable to XSRF

2015-03-18T03:28:26
ID ATLASSIAN:BSERV-7184
Type atlassian
Reporter npellow
Modified 2015-10-20T13:34:56

Description

The project avatar resource accepts content type of MULTIPART_FORM_DATA so a malicious attacker could use javascript to submit a form from a foreign host to a stash server and trick the user into changing the project avatar in Stash.

cc David Black [Atlassian] - is there any reason why panopticon found the issue with the UserResource however not with the ProjectResource ?

com.atlassian.stash.internal.rest.project.ProjectResource

POST rest/api/1.0/projects/{PROJECT_SLUG}/avatar.png

{code} @POST @Consumes(MediaType.MULTIPART_FORM_DATA) @MultipartConfigClass(AvatarMultipartConfig.class) @Path(AVATAR_PATH) public Response uploadAvatar(@Context Project project, @Context UriInfo uriInfo, @MultipartFormParam("avatar") final FilePart file) { projectService.updateAvatar(project.getId(), new FilePartAvatarSupplier(file)); {code}

Documentation must also be altered to tell users about the new requirement to set the X-Atlassian-Token header value to "no-check"