Description

Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access. A public caller who knows a workspace ID and S3 datasource ID can request a signed upload URL for attacker-controlled bucket and key values.

Details

The static route registers the signed upload URL endpoint with only recaptcha before the controller:

packages/server/src/api/routes/static.ts:44-48

44:  .post(
45:    "/api/attachments/:datasourceId/url",
46:    recaptcha,
47:    controller.getSignedUploadURL
48:  )

The controller loads the datasource by datasourceId with enriched secret values:

packages/server/src/api/controllers/static/index.ts:590-598

590:export const getSignedUploadURL = async function (
591:  ctx: Ctx<GetSignedUploadUrlRequest, GetSignedUploadUrlResponse>
592:) {
593:  // Ensure datasource is valid
594:  let datasource
595:  try {
596:    const { datasourceId } = ctx.params
597:    datasource = await sdk.datasources.get(datasourceId, { enriched: true })...
Show more

The request body controls bucket and key, and the server signs a PUT URL using the stored datasource credentials:

packages/server/src/api/controllers/static/index.ts:609-629

609:  if (datasource?.source === "S3") {
610:    const { bucket, key } = ctx.request.body || {}
611:    if (!bucket || !key) {
612:      ctx.throw(400, "bucket and key values are required")
613:    }
614:    try {
615:      let endpoint = datasource?.config?.endpoint
616:      if (endpoint && !utils.urlHasProtocol(endpoint)) {...
Show more

The endpoint returns the signed URL and public URL to the caller:

packages/server/src/api/controllers/static/index.ts:630-639

630:        publicUrl = `${endpoint}/${bucket}/${key}`
631:      } else {
632:        publicUrl = `https://${bucket}.s3.${awsRegion}.amazonaws.com/${key}`
633:      }
634:    } catch (error: any) {
635:      ctx.throw(400, error)
636:    }
637:  }...
Show more

Because no authorization middleware is applied, the API trusts public input to choose where the stored S3 credentials will write.

PoC

Non-destructive validation approach:

Create or identify a workspace with an S3 datasource.

Obtain the production workspace ID and S3 datasource ID.

Send an unauthenticated request with the workspace ID header and attacker-controlled bucket/key:

POST /api/attachments/<datasourceId>/url HTTP/1.1
x-budibase-app-id: app_<workspace-id>
content-type: application/json

{"bucket":"attacker-controlled-or-permitted-bucket","key":"poc/budibase.txt"}

Observe that the response contains a signed PUT URL.

Upload harmless content to the returned signedUrl and confirm the object is created using the datasource's stored S3 credentials.

Impact

This allows unauthenticated arbitrary object writes wherever the stored S3 datasource credentials have PutObject access. Depending on the datasource permissions, this can corrupt application data, overwrite public assets, place attacker-controlled objects in trusted buckets, consume storage, or abuse an organization's cloud credentials.

Mitigation

Aliases

References