joeyguerra
commented
8 months ago Can you set the fieldname to an empty string?
Open dvtradeling opened 1 year ago
joeyguerra
commented
8 months ago Can you set the fieldname to an empty string?
Markiz9999
commented
7 months ago Is there a workaround to prevent this vulnerability?
In my case, sending such a request to the express server crashes the server.
joeyguerra
commented
7 months ago Have you tried passing a field name?
Markiz9999
commented
7 months ago Sure. With the passed field name everything works fine. But the important thing here is to prevent the application from crashing when the client does something illegal (in this case, send a request with an empty field name).
If your question is did I try to send an empty string in the field name, then by default it is an empty string, but in that case the busboy library emits an undefined value.
https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L296
partName = undefined;https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L313
if (disp.params.name)
partName = disp.params.name;https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L358
this.emit(
'file',
partName,
this._fileStream,
{ filename,
encoding: partEncoding,
mimeType: partType }
);Previously, the same case was fixed for fields. So we need the same check for files.
Issue: https://github.com/expressjs/multer/issues/553 Fix: https://github.com/expressjs/multer/pull/913
joeyguerra
commented
7 months ago I see. Just need to get the same fix in. Got it.
We use Nest.js FilesInterceptor which uses multer under the hood.
When fieldname is not provided, but fieldNameSize is set, the above line is still executed and TypeError is thrown accordingly. Check this - https://github.com/expressjs/multer/blob/master/lib/make-middleware.js#L103
We need to prevent it.
For fixing this issue please add this line