Gotenberg Mixed-Case URL Scheme Deny-List Bypass Vulnerability

A vulnerability in Gotenberg's handling of URL schemes can bypass the deny-list restrictions implemented for Chromium file access. This issue is present in Gotenberg versions through 8.26.0. The vulnerability arises because the deny-list regex, which is case-sensitive by default, does not account for the fact that URI schemes are case-insensitive. As a result, URLs with mixed-case or uppercase schemes can evade the deny-list checks and access restricted files, such as those in the '/tmp' directory.

Impact

Exploitation of this vulnerability allows for unauthorized access to files outside the designated 'tmp' directory, including sensitive files like '/etc/passwd'.

Reproduction

1. Start Gotenberg with the default settings. 2. Use the URL conversion endpoint with a 'FILE://' URL that points to a restricted file, such as '/etc/passwd', using an uppercase scheme. 3. Alternatively, create an HTML file that includes an iframe linking to the same 'FILE://' URL and convert it using the HTML conversion endpoint.

Remediation

Users can update to Gotenberg version 8.29.0 or later, where this vulnerability has been patched.