Reproduction steps for Arbitrary file write in resource_create and package_update actions, using the ResourceUploader object Vulnerability.

[Gauravp-NEC]

@amercader @YoloClin, With reference to CVE-2023-32321
I tried to confirm the below sub vulnerability on CKAN v2.9.9:

Arbitrary file write in resource_create and package_update actions, using the ResourceUploader object. Also reachable via package_create, package_revise, and package_patch via calls to package_update.

I have performed the below operations to verify the above mention sub vulnerability:

1. Create a dataset Test_resource and enter a dummy resource link (https://example.com/data.csv) in URL as shown below:

Current Result: Resource file `data.csv' is created.
Expected Result: Resource file 'data.csv' should not be created as the vulnerability has been fixed in v2.9.9 or 2.10.1.

2. In Test_resource dataset, add a new resource by only entering test.csv in the Names: field as shown below:
   

Current Result: Resource file `test.csv' is created.
Expected Result: Resource file 'test.csv' should not be created as the vulnerability has been fixed in v2.9.9 or 2.10.1.

Can you please explain the reproduction steps regarding the sub vulnerability (Arbitrary file write in resource_create and package_update actions, using the ResourceUploader object. Also reachable via package_create, package_revise, and package_patch via calls to package_update.)?. Thanks

[amercader]

@Gauravp-NEC Please to discuss security related issues use the security@ckan.org email address.

The two scenarios you describe are perfectly valid and the expected behaviour. A user authorized to create a dataset on Org 1 will be able to create resources in that dataset (A URL-based resource in the first case and an empty resource in the second case)

The vulnerability linked has been fixed in the CKAN versions listed in the advisory.