HTTP Query String Injection in unjs/unstorage
Dec 30th 2022
The application does not properly sanitize query string parameters in the
http drivers. In the case of the
http drivers there is no immediate vulnerability, however a slight risk is presented.
When a user controls a key within the
cloudflare-kv-http driver the
expiration_ttl parameters can be injected, allowing an attacker to modify the availability of an item.
This vulnerability is fairly minor, however in combination with a vulnerability in the cloudflare service, or github, or other HTTP service, sensitive parameters may be injected. There may also be undocumented query string parameters within these services.
Path traversals may also be possible in some services which normalise sequences of
Proof of Concept
Set up the
Send a request with the following key
Observe that the key is removed shortly after creation.
Impacting the availability of user provided or user influenced keys.