CVE-2024-29034 (carrierwave): CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

Ruby Security Advisory

### Impact

The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj)
wasn’t fully addressed.

This vulnerability is caused by the fact that when uploading to
object storage, including Amazon S3, it is possible to set a
Content-Type value that is interpreted by browsers to be different
from what’s allowed by `content_type_allowlist`, by providing
multiple values separated by commas.

This bypassed value can be used to cause XSS.

### Patches

Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).

### Workarounds
Use the following monkey patch to let CarrierWave parse the
Content-type by using `Marcel::MimeType.for`.

“`ruby
# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
def declared_content_type
@declared_content_type ||
if @file.respond_to?(:content_type) && @file.content_type
Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
end
end
end
“`

“`ruby
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
def existing_content_type
if @file.respond_to?(:content_type) && @file.content_type
Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
end
end
end
“`

### References

[OWASP – File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)

READ MORE

Leave a Reply

Your email address will not be published. Required fields are marked *