Skip to content

Security: 5 vulnerability findings in backend services #2838

Description

@HumboldtJoker

Responsible Disclosure

Reporting 5 security findings identified via static analysis. No bounty expected — sharing as a responsible disclosure for the health of the project.

Identified using AI-assisted code analysis (Semgrep + LLM validation), human reviewed before submission.

Finding 1: CWE-94 — Code injection via exec() in DrivePreview

  • File: twake/backend/core/src/Twake/Drive/Services/DrivePreview.php
  • Issue: Shell commands constructed dynamically with user-influenced data via exec()/shell_exec()
  • Fix: Use escapeshellarg() for user input, or refactor to PHP native libraries

Finding 2: CWE-295 — Certificate validation issue in OpenID Connect

  • File: twake/backend/core/src/Twake/Users/Controller/Adapters/OpenID/OpenIDConnectClient.php
  • Issue: Potential certificate validation bypass in OIDC authentication flow
  • Fix: Ensure strict SSL verification on all OIDC token/discovery requests

Finding 3: CWE-310 — Weak cryptographic implementation

  • File: twake/backend/node/src/core/crypto/v2.ts
  • Issue: Missing authentication tag length verification in AES decryption
  • Fix: Validate GCM auth tag length before decryption

Finding 4: CWE-94 — Command injection in OpenSSL encryption

  • File: twake/backend/core/src/Twake/Drive/Services/Storage/Encryption/OpenSSLCryptLib.php
  • Issue: Shell command constructed with unsanitized input in encryption library
  • Fix: Use PHP's openssl_* functions directly instead of shelling out

Finding 5: CWE-697 — MD5 comparison bypass

  • File: twake/backend/core/src/Twake/Drive/Services/Storage/Encryption/AESCryptFileLib.php
  • Issue: PHP loose comparison with MD5 hashes vulnerable to type juggling (0e prefix)
  • Fix: Use hash_equals() for constant-time comparison

Full detailed reports with reproduction steps and suggested fixes available on request.

Thomas Edrington (HumboldtJoker)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions