@budibase/server: Missing Authorization in POST /api/attachments/:datasourceId/url Allows Anonymous S3 Write
The POST /api/attachments/:datasourceId/url endpoint lacks authorization middleware, enabling anonymous attackers to obtain pre-signed S3 PUT URLs using the victim's IAM credentials.
What changed
The POST /api/attachments/:datasourceId/url endpoint lacks authorization middleware, enabling anonymous attackers to obtain pre-signed S3 PUT URLs using the victim's IAM credentials. The bucket parameter is attacker-controlled, allowing writes to any S3 bucket the credentials can access.
Who it affects
All Budibase instances with S3 datasources configured. Any anonymous attacker who knows or can enumerate a workspace ID and datasource ID can exploit this.
What to do today
Apply the fix: add authorized(BUILDER) middleware to the route and pin the bucket to datasource.config.bucket in the controller. Alternatively, restrict network access to the endpoint or disable S3 datasources until patched.