Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Big security vulnerability

See original GitHub issue


I’ve just realised that it is very easy to create a big security vulnerability when using this package to upload files (I almost did this on my site).

Suppose you have JSON body parsing enabled on a POST or PUT route, say ‘/upload-files’, as well as multipart parsing. This is quite easy to do e.g. if you add JSON parsing as global middleware. Suppose it expects the files to be in a field named ‘uploads’. Then you can make a POST or PUT request to ‘/upload-files’ with a JSON body that looks something like {"files": {"uploads": [{"path": "/any/file/path"}]}}, making the request handler think a file has been uploaded to /any/file/path. Now suppose that the handler is set up to copy uploaded files into a public uploads folder. By choosing the path appropriately I can make the server copy any file I like on the server into the public uploads folder and then view its contents. So by using well-known paths of sensitive files I can read private keys, passwords etc. and maybe even gain full access to the server this way.

I haven’t tried actually doing this, but I think it’s correct (sorry if I’m wrong). In my opinion, it would be better to put the files object on ctx.request instead of ctx.request.body, so that we know it can be trusted.


Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:9
  • Comments:18 (3 by maintainers)

github_iconTop GitHub Comments

damianbcommented, May 15, 2018

@dlau is this on your road map to address, or is this module no longer being maintained?

benstevens48commented, Jan 27, 2018

Erm well I think people ought to be discouraged from using ctx.request.body.files. You could keep it to maintain compatibility but there should be a very obvious warning about the dangers in the readme. Or you could remove it and increase the major version number, or add a deprecation warning and then remove ctx.request.body.files if you get round to releasing another major version.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Latest cybersecurity vulnerability news | The Daily Swig
Read the latest cybersecurity vulnerability news from The Daily Swig. Keeping up with security vulnerabilities is now more crucial than ever.
Read more >
Known Exploited Vulnerabilities Catalog | CISA
US Department of Homeland Security CISA Cyber + Infrastructure ... Execution Vulnerability, 2021-11-03, In BIG-IP versions 15.0.0-, 14.1.0-, ...
Read more >
The Top Security Vulnerabilities of 2022 and Their Workarounds
BIG -IP iControl REST RCE(CVE-2022-1388). The CVE-2022-1388 flaw enables remote code executions on systems using affected versions of F5 BIG-IP ...
Read more >
The most dangerous vulnerabilities exploited in 2022
This article will spotlight some of the most dangerous vulnerabilities that threat actors exploited in the first half of 2022.
Read more >
10 Common Web Security Vulnerabilities - Toptal
Internet security threats are methods of abusing web technology to the detriment of a website, its users, or even the internet at large....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found