Responsible Disclosure
Reporting 5 security findings identified via static analysis. No bounty expected — sharing as a responsible disclosure for the health of the project.
Identified using AI-assisted code analysis (Semgrep + LLM validation), human reviewed before submission.
Finding 1: CWE-94 — Code injection via exec() in DrivePreview
- File:
twake/backend/core/src/Twake/Drive/Services/DrivePreview.php
- Issue: Shell commands constructed dynamically with user-influenced data via
exec()/shell_exec()
- Fix: Use
escapeshellarg() for user input, or refactor to PHP native libraries
Finding 2: CWE-295 — Certificate validation issue in OpenID Connect
- File:
twake/backend/core/src/Twake/Users/Controller/Adapters/OpenID/OpenIDConnectClient.php
- Issue: Potential certificate validation bypass in OIDC authentication flow
- Fix: Ensure strict SSL verification on all OIDC token/discovery requests
Finding 3: CWE-310 — Weak cryptographic implementation
- File:
twake/backend/node/src/core/crypto/v2.ts
- Issue: Missing authentication tag length verification in AES decryption
- Fix: Validate GCM auth tag length before decryption
Finding 4: CWE-94 — Command injection in OpenSSL encryption
- File:
twake/backend/core/src/Twake/Drive/Services/Storage/Encryption/OpenSSLCryptLib.php
- Issue: Shell command constructed with unsanitized input in encryption library
- Fix: Use PHP's
openssl_* functions directly instead of shelling out
Finding 5: CWE-697 — MD5 comparison bypass
- File:
twake/backend/core/src/Twake/Drive/Services/Storage/Encryption/AESCryptFileLib.php
- Issue: PHP loose comparison with MD5 hashes vulnerable to type juggling (0e prefix)
- Fix: Use
hash_equals() for constant-time comparison
Full detailed reports with reproduction steps and suggested fixes available on request.
Thomas Edrington (HumboldtJoker)
Responsible Disclosure
Reporting 5 security findings identified via static analysis. No bounty expected — sharing as a responsible disclosure for the health of the project.
Identified using AI-assisted code analysis (Semgrep + LLM validation), human reviewed before submission.
Finding 1: CWE-94 — Code injection via exec() in DrivePreview
twake/backend/core/src/Twake/Drive/Services/DrivePreview.phpexec()/shell_exec()escapeshellarg()for user input, or refactor to PHP native librariesFinding 2: CWE-295 — Certificate validation issue in OpenID Connect
twake/backend/core/src/Twake/Users/Controller/Adapters/OpenID/OpenIDConnectClient.phpFinding 3: CWE-310 — Weak cryptographic implementation
twake/backend/node/src/core/crypto/v2.tsFinding 4: CWE-94 — Command injection in OpenSSL encryption
twake/backend/core/src/Twake/Drive/Services/Storage/Encryption/OpenSSLCryptLib.phpopenssl_*functions directly instead of shelling outFinding 5: CWE-697 — MD5 comparison bypass
twake/backend/core/src/Twake/Drive/Services/Storage/Encryption/AESCryptFileLib.phphash_equals()for constant-time comparisonFull detailed reports with reproduction steps and suggested fixes available on request.
Thomas Edrington (HumboldtJoker)