+ "details": "The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values.\n\n### Details\n\nThe static route registers the signed upload URL endpoint with only `recaptcha` before the controller:\n\n- `packages/server/src/api/routes/static.ts:44-48`\n\n```ts\n44: .post(\n45: \"/api/attachments/:datasourceId/url\",\n46: recaptcha,\n47: controller.getSignedUploadURL\n48: )\n```\n\nThe controller loads the datasource by `datasourceId` with enriched secret values:\n\n- `packages/server/src/api/controllers/static/index.ts:590-598`\n\n```ts\n590:export const getSignedUploadURL = async function (\n591: ctx: Ctx<GetSignedUploadUrlRequest, GetSignedUploadUrlResponse>\n592:) {\n593: // Ensure datasource is valid\n594: let datasource\n595: try {\n596: const { datasourceId } = ctx.params\n597: datasource = await sdk.datasources.get(datasourceId, { enriched: true })\n598: if (!datasource) {\n```\n\nThe request body controls `bucket` and `key`, and the server signs a PUT URL using the stored datasource credentials:\n\n- `packages/server/src/api/controllers/static/index.ts:609-629`\n\n```ts\n609: if (datasource?.source === \"S3\") {\n610: const { bucket, key } = ctx.request.body || {}\n611: if (!bucket || !key) {\n612: ctx.throw(400, \"bucket and key values are required\")\n613: }\n614: try {\n615: let endpoint = datasource?.config?.endpoint\n616: if (endpoint && !utils.urlHasProtocol(endpoint)) {\n617: endpoint = `https://${endpoint}`\n618: }\n619: const s3 = new S3({\n620: region: awsRegion,\n621: endpoint: endpoint,\n622: credentials: {\n623: accessKeyId: datasource?.config?.accessKeyId as string,\n624: secretAccessKey: datasource?.config?.secretAccessKey as string,\n625: },\n626: })\n627: const params = { Bucket: bucket, Key: key }\n628: signedUrl = await getSignedUrl(s3, new PutObjectCommand(params))\n629: if (endpoint) {\n```\n\nThe endpoint returns the signed URL and public URL to the caller:\n\n- `packages/server/src/api/controllers/static/index.ts:630-639`\n\n```ts\n630: publicUrl = `${endpoint}/${bucket}/${key}`\n631: } else {\n632: publicUrl = `https://${bucket}.s3.${awsRegion}.amazonaws.com/${key}`\n633: }\n634: } catch (error: any) {\n635: ctx.throw(400, error)\n636: }\n637: }\n638:\n639: ctx.body = { signedUrl, publicUrl }\n```\n\nBecause no authorization middleware is applied, the API trusts public input to choose where the stored S3 credentials will write.\n\n### PoC\n\nNon-destructive validation approach:\n\n1. Create or identify a workspace with an S3 datasource.\n2. Obtain the production workspace ID and S3 datasource ID.\n3. Send an unauthenticated request with the workspace ID header and attacker-controlled bucket/key:\n\n```http\nPOST /api/attachments/<datasourceId>/url HTTP/1.1\nx-budibase-app-id: app_<workspace-id>\ncontent-type: application/json\n\n{\"bucket\":\"attacker-controlled-or-permitted-bucket\",\"key\":\"poc/budibase.txt\"}\n```\n\n4. Observe that the response contains a signed PUT URL.\n5. Upload harmless content to the returned `signedUrl` and confirm the object is created using the datasource's stored S3 credentials.\n\n### Impact\n\nThis allows unauthenticated arbitrary object writes wherever the stored S3 datasource credentials have `PutObject` access. Depending on the datasource permissions, this can corrupt application data, overwrite public assets, place attacker-controlled objects in trusted buckets, consume storage, or abuse an organization's cloud credentials.",
0 commit comments