Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Filename filtering is inappropriate

See original GitHub issue

I came across your filename handling and filtering with the CVE-2022-29622 and this issue https://github.com/node-formidable/formidable/issues/856#issuecomment-1139648406_

First you got blamed also inappropriate by this CVE-2022-29622 whoever is responsible for publishing this without correct approval.
Filenames of forms can have html-tags and js-like-text, like any other form inputs and it is the responsibility of the lib user to handle this, because only he/she knows where this filename is used and what is a safety risc. All this filtering and replacement makes it worse, because the original filename of upload gets lost.

Why I’ve opened this issue: Now your current code of formidable has some filename filtering which is dysfunctional.

This is an example you can put in e.g. https://replit.com/languages/nodejs The code is from your current master https://github.com/node-formidable/formidable/blob/master/src/Formidable.js and I’ve added some asserts to show the problem.

const assert = require('assert');
const path = require('path');

const invalidExtensionChar = (c) => {
  const code = c.charCodeAt(0);
  return !(
    code === 46 || // .
    (code >= 48 && code <= 57) ||
    (code >= 65 && code <= 90) ||
    (code >= 97 && code <= 122)
  );
};

function _getFileName(headerValue) {
  // matches either a quoted-string or a token (RFC 2616 section 19.5.1)
  const m = headerValue.match(
    /\bfilename=("(.*?)"|([^()<>{}[\]@,;:"?=\s/\t]+))($|;\s)/i,
  );
  if (!m) return null;

  const match = m[2] || m[3] || '';
  let originalFilename = match.substr(match.lastIndexOf('\\') + 1);
  originalFilename = originalFilename.replace(/%22/g, '"');
  originalFilename = originalFilename.replace(/&#([\d]{4});/g, (_, code) =>
    String.fromCharCode(code),
  );

  return originalFilename;
}

// able to get composed extension with multiple dots
// "a.b.c" -> ".b.c"
// as opposed to path.extname -> ".c"
function _getExtension(str) {
  if (!str) {
    return '';
  }

  const basename = path.basename(str);
  const firstDot = basename.indexOf('.');
  const lastDot = basename.lastIndexOf('.');
  let rawExtname = path.extname(basename);

  assert(rawExtname === '.txt'); // node knows how to do it

  if (firstDot !== lastDot) {
    rawExtname =  basename.slice(firstDot);
  }

  let filtered;
  const firstInvalidIndex = Array.from(rawExtname).findIndex(invalidExtensionChar);
  if (firstInvalidIndex === -1) {
    filtered = rawExtname;
  } else {
    filtered = rawExtname.substring(0, firstInvalidIndex);
  }
  if (filtered === '.') {
    return '';
  }
  return filtered;
}

let headerValue = 'filename="data-<test@example.com>.txt"';
let filename = _getFileName(headerValue);
let ext = _getExtension(filename);

assert(ext !== '.com', 'wrong extension .com !== .txt: dangerous executable'); 
assert(ext === '.txt'); // all would be fine

Issue Analytics

  • State:closed
  • Created a year ago
  • Reactions:2
  • Comments:7 (3 by maintainers)

github_iconTop GitHub Comments

4reactions
keymandllcommented, May 31, 2022

Got here as SCA blocked the build of one of our services due to the CVE referenced earlier. I think @kolbma is right here: https://github.com/node-formidable/formidable/issues/856#issuecomment-1138180400 It should be OK to upload a file with a name that is supported by the file system. What someone does with the uploaded file after should be of no concern of this library.

I’ve reached out to both NVD and MEND asking them to look into this and hopefully get the CVE removed as the vulnerability report is literally a joke. The YouTube video attached as proof to the CVE only proves that the person who submitted the vulnerability report is incompetent and that NVD has a serious quality control issue when it comes to vulnerability submissions.

3reactions
keymandllcommented, Jul 20, 2022

@GrosSacASac Never mind. I’m perfectly happy now due to the security analysis I performed the industry slowly started realising that Formidable was not vulnerable in the first place.

(SCA is Software Composition Analysis.)

Read more comments on GitHub >

github_iconTop Results From Across the Web

Filtering files through 'Get files in folder ' action in PAD
You first get all files in a folder as a list and then use for each to go through each item in the...
Read more >
how to use File filter in GetFile processor at Nifi
I have lot of log files I need to get some specific file(based on date) for that I use regular expression in GetFile(file...
Read more >
Safename: restricting "dangerous" file names - LWN.net
A risk that the file name filtering can trigger is seen in a recent Windows trojan which installs a directory with a reserved...
Read more >
CWE-98: Improper Control of Filename for Include/Require ...
This term is frequently used in cases in which remote download is disabled, or when the first part of the filename is not...
Read more >
Solved: Connecting to Folder but filtering by file name
One follow-up then will close this: how would I filter by file name instead of file extension -- i.e. All files that begin...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Parsing multipart form data not working with Next.js

Next page

JSON array directly in request body is interpreted as Object