It is possible to circumvent the AMO validator when uploading beta addons

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: Fallen, Unassigned)

Tracking

unspecified
Bug Flags:
sec-bounty -

Details

STR:

1. Upload a new beta addon that contains AMO validator warnings with signing severity.
2. See the message "Your version was detected as beta. It didn't pass automatic validation and thus can't be submitted. If you didn't mean to submit it as beta, please uncheck the beta channel option."
3. Use the Inspector to remove the "disabled" state from the "Add File" button
4. Click on "Add File"


Results:
* Nothing visually happens when clicking on "Add File", but the file is still added as a new version


Expected:
* The validation result must be checked server side and not on the client
* Adding the files and version must not be possible.


While this bug may not be an XSS type attack, it does allow circumventing a security feature, therefore filing with a security flag. I couldn't find this specific case on https://wiki.mozilla.org/WebAppSec/Web_App_Severity_Ratings but if this bug is worth a bounty I'd surely appreciate it :)
As proof, I've managed to upload Lightning 4.0b6 with this validation report:
https://addons.mozilla.org/en-US/developers/upload/761bac26873f4aa4bc25cd550fb6d894
I just confirmed that while the files do get added to the beta channel, they don't get signed, so I don't consider this a security issue.
Ah ok, too bad. I would have loved to get that T-Shirt. Might as well open this bug then. I can't do that since I don't have the group.
I'm going to close this bug in favor of https://bugzilla.mozilla.org/show_bug.cgi?id=1172035

Thanks for reporting!
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
As a side note, now that the automatic validation is enabled, the view (called via ajax) now answers with a 403 if trying to auto-validate a beta addon that doesn't pass validation: https://github.com/mozilla/olympia/blob/1c5dd76521e5ecd7b25ae6d4a9407d90acac441b/apps/devhub/views.py#L1205
Group: client-services-security
Flags: sec-bounty-
(Assignee)

Updated

3 years ago
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.