Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: use md5 hash for filename to avoid path traversal vulnerability #40

Merged
merged 1 commit into from
May 9, 2023
Merged

fix: use md5 hash for filename to avoid path traversal vulnerability #40

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 4 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ bb.extend(app, {
```

By default this module will create an `Array` when it finds multiple fields with the
same name in the POST parameters. You can set `restrictMultiple` to `true` to
same name in the POST parameters. You can set `restrictMultiple` to `true` to
not parse mutiple POST values into `Array`'s

file uploads
Expand All @@ -46,8 +46,7 @@ bb.extend(app, {

`path` will default to: `os.tmpdir()/express-busboy/<uuid>/<the field name>/<filename>`.

allowedPath can contain a regular expression limiting the upload function to given urls. For example `/^\/upload$/` would only allow uploads in the /upload path.

`allowedPath` can contain a regular expression limiting the upload function to given urls. For example `/^\/upload$/` would only allow uploads in the /upload path.

You can have a function returning true/false if you prefer that:

Expand All @@ -68,7 +67,7 @@ options.mimeTypeLimit = [
];
```

Name and filename inputs will be sanitized before determining path for the file on disk. If you want to change this behavior you can provide a strip function of your own:
Name and filename inputs will be sanitized into an MD5 hash before determining path for the file on disk. If you want to change this behavior you can provide a strip function of your own:

```js
// this will not sanitize the inputs
Expand All @@ -77,5 +76,4 @@ options.strip = function(value, type) {
}
```

When files are not uploaded due to path or mimetype checks, no error is returned (so the other data in the request can be handled) the restricted item
will simply not appear in the `req.files` `Object`.
When files are not uploaded due to path or mimetype checks, no error is returned (so the other data in the request can be handled) the restricted item will simply not appear in the `req.files` `Object`.
8 changes: 6 additions & 2 deletions index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ const mkdirp = require('mkdirp');
const qs = require('qs');
const os = require('os');
const jsonBody = require('body/json');
const crypto = require('crypto');

const fixDups = (item) => {
Object.keys(item).forEach((field) => {
Expand All @@ -25,9 +26,12 @@ const fixDups = (item) => {
return item;
};

const stripRegexp = /.*\//;
const md5 = (value) => {
return crypto.createHash('md5').update(value).digest("hex");
};

const strip = (value) => {
return value.replace(stripRegexp, '');
return md5(value);
};

var convertParams = (item, name, data) => {
Expand Down