Closed boly38 closed 9 months ago
Hi @boly38 ,
Thanks for your suggestion and PR. I checked it and from the top of my head created the following code snippet:
function decode(input) {
const matcher = /(%[a-f0-9]{2})/gi;
return input.split(matcher)
.map((str) => {
try {
return decodeURIComponent(str);
} catch (err) {
console.log(str, err.message);
return '';
}
})
.join('');
}
let str = 'bug_bounty_upload_%91and%92.txt';
let res = decode(str);
console.log(res);
The main idea is firstly try to decodeURIComponent the full string and then if it fails run the custom decode, which split the string with escaped chars and skip only those for which it gets error.
Fixed with #356 in version 1.4.1
Hi, We are using express-fileupload on production public website, and encounter some regular attack attempts as well (as on many websites).
One of them is a strange POST against an unmapped api endpoint that cause unexpected error:
URI malformed error
Error Full Stack Sample
Pre analysis on how to reproduce
Following a quick search on that kind of
decodeURIComponent
error, I found that some encoded caracters in filename could produce this.How To Reproduce
1) create a file having some characters in content, and the following name;
bug_bounty_upload_%91and%92.txt
2) create a POST request (ex. using postman), on your express endpoint, exampleselect a Body with![image](https://user-images.githubusercontent.com/3100576/207964561-954f2463-f96d-41ef-bccd-4df980bc6347.png)
form-data
file that point on this file.This is cUrl equivalent
Exected behavior
I expect a fix or a way to avoid this error. (with an option to generate or not info log ?)
security question
If you reproduce this issue on your side, I think maintainer have to create a security advisory entry
what do you think ? Best Regards