search

dmitriy-nz / nestjs-form-data

NestJS middleware for handling multipart/form-data, which is primarily used for uploading files.
https://www.npmjs.com/package/nestjs-form-data
MIT License
117 stars 23 forks source link

Race condition - using originalFilename in full path #16

Closed Tomas2D closed 2 years ago

Tomas2D commented 2 years ago

Hey, firstly thanks for this library, it is very useful.

I find out a situation where you can get a race condition. When you receive simultaneously multiple requests where each request has same originalName the target file will be overridden and thus the application can crash later on.

These lines are responsible for that:

https://github.com/dmitriy-nz/nestjs-form-data/blob/ecf063c4c5d58673f7a135ecd975dab592e1f69c/src/classes/storage/FileSystemStoredFile.ts#L18-L21

I propose the way of generating UUID for it instead of using original name of the file. It can be also a security issue probably, but I am not sure.

If you want I can make a PR.

Thanks!

dmitriy-nz commented 2 years ago

Hey! Thanks for your feedback! I will look into this issue shortly

dmitriy-nz commented 2 years ago

I have released a new version 1.5.0 with a fix for this problem, please check

Tomas2D commented 2 years ago

It works as expected. Thank you!