Golang Server-Side MIME Sniff
The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.
The Gin StaticRouter
will set the Content-Type
for files based on the response from mime.TypeByExtension
. If the call returns an empty string, then it will attempt to sniff the content. The Answer project uses the Gin StaticRouter
to serve user uploaded images. The upload process uses an allow-list of image extensions so nothing too interesting there.
When serving this file though, the mime.TypeByExtension
function has only a small local database and instead relied on mime type databases provided by other locations such as Apache’s mime.types
file to be present on the server. On Alpine, none of the files it looks for are present. So the Gin framework will fallback to sniffing the content. Allowing an attacker to upload HTML with an image extension and have it served as HTML.