July 30, 2014 William Durand

Andreas Forsblom reported two potential security issues on JsTranslationBundle: a path traversal attack and a code remote injection.

Indeed, the locales parameter was not validated and thus it was possible to perform the following request:

http://localhost/translations?locales=randomstring/something

The file something.js was created in the subdirectory messages.randomstring of the cache directory, and this was a non-desired behavior. By doing this, it became possible to traverse down from the bundle's cache directory.

http://localhost/translations?locales=randomstring/../../evil

The request above served the following file:

/var/www/someproject/app/cache/dev/bazinga-js-translation/messages.randomstring/../../evil.js

Depending on the configuration of the server, it was even possible to create or overwrite files in the web directory. Filtering the locales parameter mitigates this issue as well as the remote code injection one.

It was also possible to pass JavaScript code to the locales parameter, which was then injected into the generated JS files.

http://localhost/translations?locales=foo%0Auncommented%20code;

The request above generated the following code:

(function (Translator) { Translator.fallback = 'en'; Translator.defaultDomain = 'messages'; // foo uncommented code; })(Translator);

These two issues have been fixed in version 2.1.1. All users must upgrade to this release!

For further information, please read the release note.