Summary
getImsAdminProfile in spacecat-shared-ims-client constructs a application/x-www-form-urlencoded POST body via string concatenation without URL-encoding the guid or authSource values. This allows form body parameter injection if the caller passes unsanitized user input.
Location
packages/spacecat-shared-ims-client/src/clients/ims-client.js - around line 357:
const formBody = `guid=${guid}&client_id=${this.config.clientId}&auth_src=${authSource}`;The guid and authSource come from extractGuidAndAuthSource in utils.js (line ~69), which does a bare split('@') with no validation or encoding:
const [guid, authSource] = imsId.split('@');Attack Scenario
If a caller passes user-controlled input (e.g., from a Slack command or API parameter), an attacker can inject additional form parameters:
- Input:
fakeGuid&client_id=malicious_client@AdobeOrg
- After
split('@'): guid = "fakeGuid&client_id=malicious_client", authSource = "AdobeOrg"
- Resulting form body:
guid=fakeGuid&client_id=malicious_client&client_id=<real_client_id>&auth_src=AdobeOrg
Depending on how the IMS server handles duplicate parameters (first-wins vs last-wins), the attacker could override client_id or inject arbitrary parameters into an authenticated server-to-server request bearing a service access token.
Impact
- This is a form parameter pollution / HTTP parameter tampering vulnerability
- The request is authenticated with a service access token (admin-profile-read scope), so injected parameters ride on elevated credentials
- Affects all callers of
getImsAdminProfile, not just a specific command
- Practical exploitability depends on IMS server-side parsing behavior, but the vulnerability exists in the code path regardless
Recommended Fix
Use URLSearchParams instead of string concatenation:
const params = new URLSearchParams();
params.set('guid', guid);
params.set('client_id', this.config.clientId);
params.set('auth_src', authSource);
const formBody = params.toString();This automatically URL-encodes all values, preventing parameter injection.
Additionally, extractGuidAndAuthSource should validate the input format before splitting:
const IMS_ID_PATTERN = /^[A-Za-z0-9]+@[A-Za-z0-9]+$/;
if (!IMS_ID_PATTERN.test(imsId)) {
throw new Error(`Invalid IMS ID format: expected GUID@AuthSource`);
}Found During
Security review of adobe/spacecat-api-service#1814
Summary
getImsAdminProfileinspacecat-shared-ims-clientconstructs aapplication/x-www-form-urlencodedPOST body via string concatenation without URL-encoding theguidorauthSourcevalues. This allows form body parameter injection if the caller passes unsanitized user input.Location
packages/spacecat-shared-ims-client/src/clients/ims-client.js- around line 357:The
guidandauthSourcecome fromextractGuidAndAuthSourceinutils.js(line ~69), which does a baresplit('@')with no validation or encoding:Attack Scenario
If a caller passes user-controlled input (e.g., from a Slack command or API parameter), an attacker can inject additional form parameters:
fakeGuid&client_id=malicious_client@AdobeOrgsplit('@'):guid = "fakeGuid&client_id=malicious_client",authSource = "AdobeOrg"guid=fakeGuid&client_id=malicious_client&client_id=<real_client_id>&auth_src=AdobeOrgDepending on how the IMS server handles duplicate parameters (first-wins vs last-wins), the attacker could override
client_idor inject arbitrary parameters into an authenticated server-to-server request bearing a service access token.Impact
getImsAdminProfile, not just a specific commandRecommended Fix
Use
URLSearchParamsinstead of string concatenation:This automatically URL-encodes all values, preventing parameter injection.
Additionally,
extractGuidAndAuthSourceshould validate the input format before splitting:Found During
Security review of adobe/spacecat-api-service#1814