Remediation compared to ‘changing the tires on a car while in motion’
Great Gatsby find
The bug was discovered and reported by Shubham Shah, security researcher and CTO of Assetnote, and Sam Curry, security engineer at Yuga Labs.
The researchers initially discovered a security bug in Next.js, another React-based site generator, and decided to investigate other, similar frameworks, which led them to the Gatsby vulnerability. The pair have also unearthed similar bugs in static site generators in recent months, including an SSRF and XSS bug in Netlify.
The CDN Image functionality for fetching resources was implemented in a way that did not validate the URLs provided by the client, they found.
Two routes were affected by the bug, one for images and the other for any file. Attackers could exploit this flaw to send arbitrary URLs to the server and have them rendered by the website. According to an advisory by Gatsby, the vulnerability could be exploited by SSRF or XSS attacks.
“The full read SSRF allows attackers to read the contents of arbitrary URLs including the metadata IP address if they are on a cloud environment,” Shah told The Daily Swig. “Any IP on the local network is accessible through the SSRF. On cloud environments, this bug could be escalated to steal secret keys or sensitive information from the metadata IP address.”
In a blog post, Shah detailed how the bug could be exploited.
Caveats to exploitability
Mike Gualtieri, security engineer at Gatsby, told The Daily Swig that the vulnerability only affected customers who were using the Gastby Cloud and had enabled the optional Image CDN service. The bug has been patched in the latest release, and when enabling the Image CDN, web admins are warned if their sites are vulnerable.
Gualtieri also said that the SSRF vector did not present much exploitable risk to customers.
“Typically an SSRF vulnerability would be used by an adversary to access internal resources that are not publicly exposed to the internet. In this case, the SSRF executed within the environment hosted by our Image CDN partner that stores images for a site,” Gualtieri said. “This environment is completely decoupled from the Gatsby Cloud, so there would be no risk of data exposure or deeper system access.”
However, the XSS bug was more serious and could have been used for phishing or an authentication bypass.
“If a site included authentication functionality, and did not set secure cookie headers and/or a Content Security Policy, the XSS vector combined with phishing could have led to cookie or local-storage theft, which could have allowed an adversary the ability to authenticate to the site in the context of the stolen authentication token,” Gualtieri said.
Changing tires on a moving car
Patching the vulnerability was a tricky engineering effort that Gualtieri compared to “changing the tires on a car while in motion”.
The developers had to make sure that the fix would not break customer websites. Moreover, the team had to contact affected customers before public disclosure.
The patched version encrypts CDN URLs with a unique private key to ensure that only parameters included in a site build will be interpreted as valid routes.
Shah recommended that developers perform thorough code reviews, review logic, and confirm that sources and sinks have been audited for security issues.
“Audit exposed application routes that are accessible pre-authentication for any dangerous behaviors, even if the framework states it is a static site generator,” Shah warned. “Do not assume cloud platforms for static site generators have no dynamic or vulnerable routes.”