Impacted Resources
bref/src/Event/Http/Psr7Bridge.php:130-168
Description
When Bref is used with the Event-Driven Function runtime and the handler is a RequestHandlerInterface, then the Lambda event is converted to a PSR7 object.
During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the $files or $parsedBody arrays.
To do that, the following method is called with as first argument the result array ($files or $parsedBody), as second argument the part name, and as third argument the part content:
/**
* Parse a string key like "files[id_cards][jpg][]" and do $array['files']['id_cards']['jpg'][] = $value
*/
private static function parseKeyAndInsertValueInArray(array &$array, string $key, mixed $value): void
{
if (! str_contains($key, '[')) {
$array[$key] = $value;
return;
}
$parts = explode('[', $key); // files[id_cards][jpg][] => [ 'files', 'id_cards]', 'jpg]', ']' ]
$pointer = &$array;
foreach ($parts as $k => $part) {
if ($k === 0) {
$pointer = &$pointer[$part];
continue;
}
// Skip two special cases:
// [[ in the key produces empty string
// [test : starts with [ but does not end with ]
if ($part === '' || ! str_ends_with($part, ']')) {
// Malformed key, we use it "as is"
$array[$key] = $value;
return;
}
$part = substr($part, 0, -1); // The last char is a ] => remove it to have the real key
if ($part === '') { // [] case
$pointer = &$pointer[];
} else {
$pointer = &$pointer[$part];
}
}
$pointer = $value;
}The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket ([) are used.
Let's take for example the following part:
------WebKitFormBoundary
Content-Disposition: form-data; name="key0[key1][key2]["
value
------WebKitFormBoundary--
In plain PHP it would be converted to Array( [key0] => Array ( [key1] => Array ( [key2] => value) ) ), while in Bref it would be converted to Array( [key0] => Array ( [key1] => Array ( [key2] => ) ) [key0[key1][key2][] => value ).
Impact
Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors.
PoC
- Create a new Bref project.
- Create an
index.php file with the following content:
<?php
namespace App;
require __DIR__ . '/vendor/autoload.php';
use Nyholm\Psr7\Response;
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use Psr\Http\Server\RequestHandlerInterface;
class MyHttpHandler implements RequestHandlerInterface
{
public function handle(ServerRequestInterface $request): ResponseInterface
{
return new Response(200, [], var_export($request->getParsedBody(),true));
}
}
return new MyHttpHandler();
- Use the following
serverless.yml to deploy the Lambda:
service: app
provider:
name: aws
region: eu-central-1
plugins:
- ./vendor/bref/bref
# Exclude files from deployment
package:
patterns:
- '!node_modules/**'
- '!tests/**'
functions:
api:
handler: index.php
runtime: php-83
events:
- httpApi: 'ANY /upload'
- Replay the following request after having replaced the
<HOST> placeholder with the deployed Lambda domain:
POST /upload HTTP/2
Host: <HOST>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb
Content-Length: 180
------WebKitFormBoundaryQqDeSZSSvmn2rfjb
Content-Disposition: form-data; name="key0[key1][key2]["
value
------WebKitFormBoundaryQqDeSZSSvmn2rfjb--
- Notice how the body has been parsed.
- Create a
plain.php file with the following content:
- Start a PHP server inside the project directory (e.g.
php -S 127.0.0.1:8090).
- Replay the following request after having replaced the
<HOST> placeholder with the PHP server address:
POST /plain.php HTTP/1.1
Host: <HOST>
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryQqDeSZSSvmn2rfjb
Content-Length: 180
------WebKitFormBoundaryQqDeSZSSvmn2rfjb
Content-Disposition: form-data; name="key0[key1][key2]["
value
------WebKitFormBoundaryQqDeSZSSvmn2rfjb--
- Notice the differences in the parsing compared to what observed at step 5.
Suggested Remediation
Use the PHP function parse_str to parse the body parameters to mimic the plain PHP behavior.
References
smaury Reporter
Impacted Resources
bref/src/Event/Http/Psr7Bridge.php:130-168
Description
When Bref is used with the Event-Driven Function runtime and the handler is a
RequestHandlerInterface, then the Lambda event is converted to a PSR7 object.During the conversion process, if the request is a MultiPart, each part is parsed and its content added in the
$filesor$parsedBodyarrays.To do that, the following method is called with as first argument the result array (
$filesor$parsedBody), as second argument the part name, and as third argument the part content:The conversion process produces a different output compared to the one of plain PHP when keys ending with and open square bracket (
[) are used.Let's take for example the following part:
In plain PHP it would be converted to
Array( [key0] => Array ( [key1] => Array ( [key2] => value) ) ), while in Bref it would be converted toArray( [key0] => Array ( [key1] => Array ( [key2] => ) ) [key0[key1][key2][] => value ).Impact
Based on the application logic the difference in the body parsing might lead to vulnerabilities and/or undefined behaviors.
PoC
index.phpfile with the following content:serverless.ymlto deploy the Lambda:<HOST>placeholder with the deployed Lambda domain:plain.phpfile with the following content:php -S 127.0.0.1:8090).<HOST>placeholder with the PHP server address:Suggested Remediation
Use the PHP function
parse_strto parse the body parameters to mimic the plain PHP behavior.References