Kroki Vega Component URL Injection Vulnerability in Safe Mode

A vulnerability exists in the Vega component of Kroki, specifically in the 'convert()' function, when 'safeMode' is enabled and the 'spec' variable contains an array. This flaw allows an attacker to create a malicious Vega diagram specification that can send requests to any URL, including local file system paths, potentially exposing sensitive information.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information by allowing crafted specifications to request and retrieve data from local files.

Reproduction

To reproduce this vulnerability, upload a Vega-Lite specification that includes a 'data' field with a 'url' attribute pointing to a local file, such as '/etc/passwd'. The specification must be processed with 'safeMode' set to 'secure', which is the default setting. This can be done by using the Kroki service, which will throw an 'UnsafeIncludeError' when the vulnerable conditions are met.

Remediation

Users can disable 'safeMode' by setting the KROKI_SAFE_MODE environment variable to 'unsafe', but this is not recommended due to the potential security risks. A safer option is to update to the latest version of Kroki, where this vulnerability has been fixed.