Elixir Tesla Multipart Header Injection Vulnerability via Unescaped Content-Disposition Values

A vulnerability in the Elixir Tesla library, specifically in versions 0.8.0 prior to 1.18.3, allows for multipart header injection through unescaped Content-Disposition parameter values. The issue arises in the Tesla.Multipart module, where the 'part_headers_for_disposition' function interpolates disposition parameters without validating for carriage return, line feed, or double-quote characters. This lack of validation enables an attacker to close quoted parameters prematurely or inject additional headers and body bytes into multipart requests. The vulnerability can be exploited by passing untrusted input into certain disposition parameters, such as filename or field name, through the 'add_field', 'add_file', or 'add_file_content' functions.

Impact

Exploitation of this vulnerability allows for the injection of additional headers or bytes into the body of multipart requests, which could be misused by the recipient application, especially if it uses a lenient multipart parser.

Reproduction

To reproduce this vulnerability, first create a new multipart object using 'Tesla.Multipart.new()'. Then, add a file or field with a name that includes unescaped CRLF sequences or double-quote characters. After that, send the multipart body through a Tesla adapter. The injected headers or body bytes will be received by the upstream application.

Remediation

Users can upgrade to Tesla version 1.18.3 or later, where this vulnerability has been fixed. For applications that cannot be immediately upgraded, validate and sanitize disposition parameter values before passing them to the multipart API, rejecting any values that contain carriage return, line feed, or double-quote characters.