Cross Site Scripting (XSS) - datasets/xxxx/upload/community

[gpsilv4]

Persistent XSS enabled Persistent XSS in /api/1/datasets/xxxx/upload/community/
The data.gouv.fr application is vulnerable to a persistent Cross Site Scripting (XSS) attack on /api/1/datasets/xxxx/upload/community/. Data is entered into the application by uploading an SVG file
The following POST request demonstrates the injection:
curl -H "Accept: application/json" -H "X-Api-Key: ID_KEY" -X POST -L "https://www.data.gouv.fr/api/1/datasets/64b1590386136fdc4e31e1a0/upload/community/ " -F "[email protected];type=image/svg+xml"

file svg2:

Persistent XSS vulnerabilities are the most concerning among the 3 types of XSS. They appear when data submitted in an HTTP request is stored (usually in a database) without validation. An attacker can use this vulnerability to build a message based on Javascript code that will be stored in the database and later loaded by the application and sent to all users who open the page. When viewed by anyone, the malicious Javascript code is loaded and executed in your browser in the context of the currently open session. The code generated by the attacker can carry out a wide variety of actions, such as stealing the session cookie allowing him to escalate privileges in the application, or even carrying out keylogging.

[maudetes]

See our previous answer on malicious svg: #2869. The malicious code never gets executed.
However, as an additional safety measure, you could:

• add a file analysis system on your instance to run asynchronously and detect malicious content.
• decide to remove svg files in ALLOWED_RESOURCES_EXTENSIONS config.