{
  "schema_version": "1.4.0",
  "id": "GHSA-wpmx-564x-h2mh",
  "modified": "2024-03-01T14:35:42Z",
  "published": "2023-12-28T21:16:57Z",
  "aliases": [
    "CVE-2023-52081"
  ],
  "summary": "ewen-lbh/ffcss Late-Unicode normalization vulnerability",
  "details": "### Summary\nThe function `lookupPreprocess()` is meant to apply some transformations to a string by disabling characters in the regex `[-_ .]`. However, due to the use of late Unicode normalization of type NFKD, it is possible to bypass that validation and re-introduce all the characters in the regex `[-_ .]`. \n\n```go\n// lookupPreprocess applies transformations to s so that it can be compared\n// to search for something.\n// For example, it is used by (ThemeStore).Lookup\nfunc lookupPreprocess(s string) string {\n\treturn strings.ToLower(norm.NFKD.String(regexp.MustCompile(`[-_ .]`).ReplaceAllString(s, \"\")))\n}\n``` \n\nTake the following equivalent Unicode character U+2024 (․). Initially, the `lookupPreprocess()` function would compile the regex and replace the regular dot (.). However, the U+2024 (․) would bypass the `ReplaceAllString()`. When the normalization operation is applied to U+2024 (․), the resulting character will be U+002E (.). Thus, the dot was reintroduced back.\n\n### Impact\n\nThe `lookupPreprocess()` can be easily bypassed with equivalent Unicode characters like U+FE4D (﹍), which would result in the omitted U+005F (_), for instance. It should be noted here that the variable `s` is user-controlled data coming from [/cmd/ffcss/commands.go#L22-L28](https://github.com/ewen-lbh/ffcss/blob/master/cmd/ffcss/commands.go#L22-L28) the command args. The `lookupPreprocess()` function is only ever used to search for themes loosely (case insensitively, while ignoring dashes, underscores and dots), so the actual security impact is classified as low.\n\n### Remediation\n\nA simple fix would be to initially perform the Unicode normalization and then the rest of validations.\n\n### References\n\n - https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks\n",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/ewen-lbh/ffcss"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.2.0"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ewen-lbh/ffcss/security/advisories/GHSA-wpmx-564x-h2mh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-52081"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ewen-lbh/ffcss/commit/f9c491874b858a32fcae15045f169fd7d02f90dc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ewen-lbh/ffcss"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-176",
      "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-12-28T21:16:57Z",
    "nvd_published_at": "2023-12-28T16:16:02Z"
  }
}