[C3] downloads.rs body().unwrap() on attacker-controlled Content-Disposition filename -> unauthenticated panic/DoS #12

Open
opened 2026-06-05 17:35:05 -07:00 by azcomputerguru · 0 comments

Severity: Critical

Component(s): server

Affected file(s):

  • server/src/api/downloads.rs

Problem:
Response::builder()...body().unwrap() runs on an attacker-controlled Content-Disposition filename, allowing an unauthenticated panic and worker DoS.

Recommended fix:
Use a real error path (no unwrap), reject or RFC5987-encode the filename, and cap input length.

Remediation phase: P0

From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C3) and REMEDIATION-PLAN.md (P0).

**Severity:** Critical **Component(s):** server **Affected file(s):** - `server/src/api/downloads.rs` **Problem:** `Response::builder()...body().unwrap()` runs on an attacker-controlled `Content-Disposition` filename, allowing an unauthenticated panic and worker DoS. **Recommended fix:** Use a real error path (no `unwrap`), reject or RFC5987-encode the filename, and cap input length. **Remediation phase:** P0 From the 2026-06-05 three-way review (Claude+Gemini+Grok) — see reports/review-2026-06-05/SYNTHESIS-three-way.md (finding C3) and REMEDIATION-PLAN.md (P0).
azcomputerguru added the severity:criticalcomponent:serversecurity labels 2026-06-05 17:35:05 -07:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: azcomputerguru/guru-connect#12