Cross Site Scripting (XSS)

[gpsilv4]

Persistent XSS enabled Persistent XSS in /api/1/datasets/xxxx/upload
The data.gouv.fr application is vulnerable to a persistent Cross Site Scripting (XSS) attack on /api/1/datasets/xxxx/upload. Data is entered into the application by uploading an SVG file
The following POST request demonstrates the injection:
curl -H "Accept: application/json" -H "X-Api-Key: ID_KEY" -X POST -L "https://www.data.gouv.fr/api/1/datasets/64b1590386136fdc4e31e1a0/upload/" -F "file=@svg1.svg;type=image/svg+xml"
file svg1:

Persistent XSS vulnerabilities are the most concerning among the 3 types of XSS. They appear when data submitted in an HTTP request is stored (usually in a database) without validation. An attacker can use this vulnerability to build a message based on Javascript code that will be stored in the database and later loaded by the application and sent to all users who open the page. When viewed by anyone, the malicious Javascript code is loaded and executed in your browser in the context of the currently open session. The code generated by the attacker can carry out a wide variety of actions, such as stealing the session cookie allowing him to escalate privileges in the application, or even carrying out keylogging.

[maudetes]

Thank you for this report! We do not render the SVG file uploaded on data.gouv.fr, thus preventing loading the malicious code, and preventing the attack from being executed.
However, we should indeed take appropriate measures to prevent any potential security vulnerabilities, probably by implementing input validation on SVG files. It would make sure to prevent being a vector of malicious content.