Skip to content

Security: Form body parameter injection in getImsAdminProfile #1352

Description

@solaris007

Summary

getImsAdminProfile in spacecat-shared-ims-client constructs a application/x-www-form-urlencoded POST body via string concatenation without URL-encoding the guid or authSource values. This allows form body parameter injection if the caller passes unsanitized user input.

Location

packages/spacecat-shared-ims-client/src/clients/ims-client.js - around line 357:

const formBody = `guid=${guid}&client_id=${this.config.clientId}&auth_src=${authSource}`;

The guid and authSource come from extractGuidAndAuthSource in utils.js (line ~69), which does a bare split('@') with no validation or encoding:

const [guid, authSource] = imsId.split('@');

Attack Scenario

If a caller passes user-controlled input (e.g., from a Slack command or API parameter), an attacker can inject additional form parameters:

  • Input: fakeGuid&client_id=malicious_client@AdobeOrg
  • After split('@'): guid = "fakeGuid&client_id=malicious_client", authSource = "AdobeOrg"
  • Resulting form body: guid=fakeGuid&client_id=malicious_client&client_id=<real_client_id>&auth_src=AdobeOrg

Depending on how the IMS server handles duplicate parameters (first-wins vs last-wins), the attacker could override client_id or inject arbitrary parameters into an authenticated server-to-server request bearing a service access token.

Impact

  • This is a form parameter pollution / HTTP parameter tampering vulnerability
  • The request is authenticated with a service access token (admin-profile-read scope), so injected parameters ride on elevated credentials
  • Affects all callers of getImsAdminProfile, not just a specific command
  • Practical exploitability depends on IMS server-side parsing behavior, but the vulnerability exists in the code path regardless

Recommended Fix

Use URLSearchParams instead of string concatenation:

const params = new URLSearchParams();
params.set('guid', guid);
params.set('client_id', this.config.clientId);
params.set('auth_src', authSource);
const formBody = params.toString();

This automatically URL-encodes all values, preventing parameter injection.

Additionally, extractGuidAndAuthSource should validate the input format before splitting:

const IMS_ID_PATTERN = /^[A-Za-z0-9]+@[A-Za-z0-9]+$/;
if (!IMS_ID_PATTERN.test(imsId)) {
  throw new Error(`Invalid IMS ID format: expected GUID@AuthSource`);
}

Found During

Security review of adobe/spacecat-api-service#1814

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions