Summary
A vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. This feature of DIFY AI is the ability to export and import application templates as YAML-format DSL files. This feature is intended to facilitate sharing and collaboration among administrator team members. However, it poses potential security risks. The feature in '/export' allows administrator users to export DSL. Although normal users are not permitted to create apps and orchestrate, the current access control design of the DIFY mistakenly allows normal users to export DSL. This should not be allowed, as it permits non-admin users to retrieve the DSL of an APP, while the DIFY is intended to restrict non-admin users from creating apps and importing DSL to create apps.
Affected endpoint
- /console/api/apps/{app.id}/export
Authentication
Yes (normal user)
PoC
Based on my observation, this access control flaw is likely not intended by the DIFY design, as only admin users should have the capability to export APP DSL but it was found that normal user was able to export the APP DSL.
Recommendation
To mitigate this issue, update the access control mechanisms to enforce stricter user role permissions. Normal users shouldn't be export the APP DSL on apps. Implement and review role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL.
Impact
Intellectual Property Theft: If a normal user can export the APP DSL created by an admin, they could potentially steal the application’s design and replicate it independently. This risk is particularly significant if the exported DSL files contain proprietary algorithms or unique business logic
Unauthorized Access: Allowing unauthorized users (normal user) to export DSL files could lead to sensitive data exposure or misuse. Ensuring that only authorized personnel have access to export features is crucial to maintaining application security and integrity
Finder Credits:
Aden Yap Chuen Zhen, BAE Systems Digital Intelligence (Malaysia) (Github ID: zn9988)
Ali Radzali, BAE Systems Digital Intelligence (Malaysia) (Github ID: H0j3n)
Summary
A vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. This feature of DIFY AI is the ability to export and import application templates as YAML-format DSL files. This feature is intended to facilitate sharing and collaboration among administrator team members. However, it poses potential security risks. The feature in '/export' allows administrator users to export DSL. Although normal users are not permitted to create apps and orchestrate, the current access control design of the DIFY mistakenly allows normal users to export DSL. This should not be allowed, as it permits non-admin users to retrieve the DSL of an APP, while the DIFY is intended to restrict non-admin users from creating apps and importing DSL to create apps.
Affected endpoint
Authentication
Yes (normal user)
PoC
Based on my observation, this access control flaw is likely not intended by the DIFY design, as only admin users should have the capability to export APP DSL but it was found that normal user was able to export the APP DSL.
Recommendation
To mitigate this issue, update the access control mechanisms to enforce stricter user role permissions. Normal users shouldn't be export the APP DSL on apps. Implement and review role-based access controls (RBAC) to ensure that only users with admin privileges can export the APP DSL.
Impact
Intellectual Property Theft: If a normal user can export the APP DSL created by an admin, they could potentially steal the application’s design and replicate it independently. This risk is particularly significant if the exported DSL files contain proprietary algorithms or unique business logic
Unauthorized Access: Allowing unauthorized users (normal user) to export DSL files could lead to sensitive data exposure or misuse. Ensuring that only authorized personnel have access to export features is crucial to maintaining application security and integrity
Finder Credits:
Aden Yap Chuen Zhen, BAE Systems Digital Intelligence (Malaysia) (Github ID: zn9988)
Ali Radzali, BAE Systems Digital Intelligence (Malaysia) (Github ID: H0j3n)