It is possible to circumvent the AMO validator when uploading beta addons



3 years ago
3 years ago


(Reporter: Fallen, Unassigned)


Bug Flags:
sec-bounty -



1. Upload a new beta addon that contains AMO validator warnings with signing severity.
2. See the message "Your version was detected as beta. It didn't pass automatic validation and thus can't be submitted. If you didn't mean to submit it as beta, please uncheck the beta channel option."
3. Use the Inspector to remove the "disabled" state from the "Add File" button
4. Click on "Add File"

* Nothing visually happens when clicking on "Add File", but the file is still added as a new version

* The validation result must be checked server side and not on the client
* Adding the files and version must not be possible.

While this bug may not be an XSS type attack, it does allow circumventing a security feature, therefore filing with a security flag. I couldn't find this specific case on but if this bug is worth a bounty I'd surely appreciate it :)
As proof, I've managed to upload Lightning 4.0b6 with this validation report:
I just confirmed that while the files do get added to the beta channel, they don't get signed, so I don't consider this a security issue.
Ah ok, too bad. I would have loved to get that T-Shirt. Might as well open this bug then. I can't do that since I don't have the group.
I'm going to close this bug in favor of

Thanks for reporting!
Last Resolved: 3 years ago
Resolution: --- → WONTFIX
As a side note, now that the automatic validation is enabled, the view (called via ajax) now answers with a 403 if trying to auto-validate a beta addon that doesn't pass validation:
Group: client-services-security
Flags: sec-bounty-


3 years ago
Product: → Graveyard
You need to log in before you can comment on or make changes to this bug.