Closed
Bug 1171930
Opened 9 years ago
Closed 9 years ago
It is possible to circumvent the AMO validator when uploading beta addons
Categories
(addons.mozilla.org Graveyard :: Developer Pages, defect)
addons.mozilla.org Graveyard
Developer Pages
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: Fallen, Unassigned)
Details
STR: 1. Upload a new beta addon that contains AMO validator warnings with signing severity. 2. See the message "Your version was detected as beta. It didn't pass automatic validation and thus can't be submitted. If you didn't mean to submit it as beta, please uncheck the beta channel option." 3. Use the Inspector to remove the "disabled" state from the "Add File" button 4. Click on "Add File" Results: * Nothing visually happens when clicking on "Add File", but the file is still added as a new version Expected: * The validation result must be checked server side and not on the client * Adding the files and version must not be possible. While this bug may not be an XSS type attack, it does allow circumventing a security feature, therefore filing with a security flag. I couldn't find this specific case on https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings but if this bug is worth a bounty I'd surely appreciate it :)
Reporter | ||
Comment 1•9 years ago
|
||
As proof, I've managed to upload Lightning 4.0b6 with this validation report: https://addons.mozilla.org/en-US/developers/upload/761bac26873f4aa4bc25cd550fb6d894
Comment 2•9 years ago
|
||
I just confirmed that while the files do get added to the beta channel, they don't get signed, so I don't consider this a security issue.
Reporter | ||
Comment 3•9 years ago
|
||
Ah ok, too bad. I would have loved to get that T-Shirt. Might as well open this bug then. I can't do that since I don't have the group.
Comment 4•9 years ago
|
||
I'm going to close this bug in favor of https://bugzilla.mozilla.org/show_bug.cgi?id=1172035 Thanks for reporting!
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Comment 5•9 years ago
|
||
As a side note, now that the automatic validation is enabled, the view (called via ajax) now answers with a 403 if trying to auto-validate a beta addon that doesn't pass validation: https://github.com/mozilla/olympia/blob/1c5dd76521e5ecd7b25ae6d4a9407d90acac441b/apps/devhub/views.py#L1205
Updated•9 years ago
|
Group: client-services-security
Flags: sec-bounty-
Assignee | ||
Updated•8 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•