express-fileupload
express-fileupload copied to clipboard
richardgirges
Security patches and updates
There have been some unconfirmed security reports raised by @harunoz. This ticket will track the decisions and fixes (if any) to address all open security reports.
There are five primary areas that are covered in Harun's reports:
- File Naming (currently reviewing)
- Spoofing (currently reviewing)
- Polyglot files
- PDF files
- ~File overwriting~ : this has been confirmed to be a non-issue. In the report, the user is intentionally implementing bad practices, such as uploading file contents into areas of the filesystem where sensitive files, such as source files, are present. It is up to the user of express-fileupload to ensure that files placed with the
.mvmethod are placed in a secure location where they cannot cause harm regardless of the filename or extension.
@duterte can you email me at richardgirges - a t - gmail dot com? I will send you the report
@richardgirges While you are reviewing these, I think it might be helpful to reach out to NIST/Mitre and request that these CVEs be marked as disputed. At the moment, all security scanning tools flag this issue as super-mega-critical, which is unfortunate. To mark it as disputed, you just have to message them here: https://cveform.mitre.org/
@richardgirges - CVE-2022-27140 is now marked as disputed in NIST's database
** DISPUTED ** ... NOTE: the vendor's position is that the observed behavior can only occur with "intentional misusing of the API": the express-fileupload middleware is not responsible for an application's business logic (e.g., determining whether or how a file should be renamed).
