Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Big security vulnerability

See original GitHub issue

Hi,

I’ve just realised that it is very easy to create a big security vulnerability when using this package to upload files (I almost did this on my site).

Suppose you have JSON body parsing enabled on a POST or PUT route, say ‘/upload-files’, as well as multipart parsing. This is quite easy to do e.g. if you add JSON parsing as global middleware. Suppose it expects the files to be in a field named ‘uploads’. Then you can make a POST or PUT request to ‘/upload-files’ with a JSON body that looks something like {"files": {"uploads": [{"path": "/any/file/path"}]}}, making the request handler think a file has been uploaded to /any/file/path. Now suppose that the handler is set up to copy uploaded files into a public uploads folder. By choosing the path appropriately I can make the server copy any file I like on the server into the public uploads folder and then view its contents. So by using well-known paths of sensitive files I can read private keys, passwords etc. and maybe even gain full access to the server this way.

I haven’t tried actually doing this, but I think it’s correct (sorry if I’m wrong). In my opinion, it would be better to put the files object on ctx.request instead of ctx.request.body, so that we know it can be trusted.

Thanks.

Issue Analytics

State:
Created 6 years ago
Reactions:9
Comments:18 (3 by maintainers)

Top GitHub Comments

6reactions

damianbcommented, May 15, 2018

@dlau is this on your road map to address, or is this module no longer being maintained?

2reactions

benstevens48commented, Jan 27, 2018

Erm well I think people ought to be discouraged from using ctx.request.body.files. You could keep it to maintain compatibility but there should be a very obvious warning about the dangers in the readme. Or you could remove it and increase the major version number, or add a deprecation warning and then remove ctx.request.body.files if you get round to releasing another major version.

Top Results From Across the Web

Latest cybersecurity vulnerability news | The Daily Swig

Read the latest cybersecurity vulnerability news from The Daily Swig. Keeping up with security vulnerabilities is now more crucial than ever.

Known Exploited Vulnerabilities Catalog | CISA

US Department of Homeland Security CISA Cyber + Infrastructure ... Execution Vulnerability, 2021-11-03, In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, ...

The Top Security Vulnerabilities of 2022 and Their Workarounds

BIG -IP iControl REST RCE(CVE-2022-1388). The CVE-2022-1388 flaw enables remote code executions on systems using affected versions of F5 BIG-IP ...

The most dangerous vulnerabilities exploited in 2022

This article will spotlight some of the most dangerous vulnerabilities that threat actors exploited in the first half of 2022.

10 Common Web Security Vulnerabilities - Toptal

Internet security threats are methods of abusing web technology to the detriment of a website, its users, or even the internet at large....