Unsafe methods

[alexcos20]

Bug Description

When creating an Ocean asset, the access service requires a files object. If the file is not of type IPFS, it contains a URL and optional HTTP method (e.g. GET, POST, etc). This method parameter is used as a method name in the requests Session class but not properly sanitised.

If the method fails, the error message is also under the control of the attacker and displayed to the user with the authority of the provider.

File: ocean_provider/utils/util.py lines 62-65

method = getattr(requests_session, method.lower())
response = method(
    download_url, headers=download_request_headers, stream=True, timeout=3
)

where method.tolower() comes from ocean_provider/routes/consume.py line 367 method=url_object.get("method", "GET") which is user supplied.

When the asset is downloaded using the /download endpoint, method is called directly in Session class, and so can run at least the following methods:

get()
post()

These methods below should not be accessible, but are:

request()
resolve_redirects()
send()
__new__()
__init__()
__enter__()
__exit__()
__init__()
__format__()
__dir__()
__delattr__()
__eq__()
__ge__()
__getattribute__()
__gt__()
__hash__()
__le__()
__lt__()
__ne__()
__repr__()
__setattr__()
__str__()

Other methods may also be available depending on the package and python version raising its security risk severity level.

Primary Impact

An attacker can call arbitrary methods in the requests Session including magic methods with double underscores (dunder) on both sides of the method name. Since some of the parameters in the method call are also user-controlled, it could potentially allow an attacker to call an existing or magic method and execute arbitrary code.

Secondary Impact

An attacker could craft an error message in such a way as to convince a user to transfer funds, visit a malicious website, or email the attacker.

Risk Breakdown

Difficulty to Exploit: Intermediate