Golang Server-Side MIME Sniff

We discussed this vulnerability during Episode 199 on 27 March 2023

The vulnerability is a Server-Side MIME Sniff issue in the answerdev/answer project (a Q&A platform) that leads to a stored XSS vulnerability. What is really interesting is that the bug primarily only appears when running the application under Docker.

The Gin StaticRouter will set the Content-Type for files based on the response from mime.TypeByExtension. If the call returns an empty string, then it will attempt to sniff the content. The Answer project uses the Gin StaticRouter to serve user uploaded images. The upload process uses an allow-list of image extensions so nothing too interesting there.

When serving this file though, the mime.TypeByExtension function has only a small local database and instead relied on mime type databases provided by other locations such as Apache’s mime.types file to be present on the server. On Alpine, none of the files it looks for are present. So the Gin framework will fallback to sniffing the content. Allowing an attacker to upload HTML with an image extension and have it served as HTML.