Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Add file extension check to filename parameter in body #4219

Merged
merged 2 commits into from
Jan 28, 2025

Conversation

DafyddLlyr
Copy link
Contributor

@DafyddLlyr DafyddLlyr commented Jan 28, 2025

What's the problem?

From Phil at Jumpsec -

I've looked at the file upload issue again and have noticed that whilst the restrictions have been implemented on the initial filetype uploaded, the "filename" parameter of the upload forms can be used to change the file extension of the file. I've attached a screenshot of this to demonstrate what I mean. I'm still exploring the exploitability of this, but would you be able to implement the same checks on the "filename" parameter file extension value as well to make sure this also matches the allowed list of file types?

What's the solution?

By adding the same validation to our Zod schema, we can share this validation check across the values in the body of the incoming http request, as well as the attached file.

To test

  • Upload a file with a valid extension / mime type (e.g. myImage.png)
  • Use an invalid extension for the filename param (e.g. myImage.exe)
  • Get a Zod validation error ✅

image

@DafyddLlyr DafyddLlyr requested a review from a team January 28, 2025 09:59
Copy link

github-actions bot commented Jan 28, 2025

Removed vultr server and associated DNS entries

Copy link
Member

@jessicamcinchak jessicamcinchak left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Swagger docs working exactly as expected for me here, happy for this to go once tests are updated/passing too !

@DafyddLlyr DafyddLlyr merged commit 71d8127 into main Jan 28, 2025
13 checks passed
@DafyddLlyr DafyddLlyr deleted the dp/filename-restriction-validation branch January 28, 2025 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants