TypeError: Cannot read properties of undefined (reading 'length') when fieldNameSize is not set #1233
Comments
|
Can you set the fieldname to an empty string? |
|
Is there a workaround to prevent this vulnerability? In my case, sending such a request to the express server crashes the server. |
|
Have you tried passing a field name? |
|
Sure. With the passed field name everything works fine. But the important thing here is to prevent the application from crashing when the client does something illegal (in this case, send a request with an empty field name). If your question is did I try to send an empty string in the field name, then by default it is an empty string, but in that case the busboy library emits an undefined value. https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L296 partName = undefined;https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L313 if (disp.params.name)
partName = disp.params.name;https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L358 this.emit(
'file',
partName,
this._fileStream,
{ filename,
encoding: partEncoding,
mimeType: partType }
); |
|
I see. Just need to get the same fix in. Got it. |
We use Nest.js FilesInterceptor which uses multer under the hood.
When fieldname is not provided, but fieldNameSize is set, the above line is still executed and TypeError is thrown accordingly.
Check this - https://github.com/expressjs/multer/blob/master/lib/make-middleware.js#L103
We need to prevent it.
For fixing this issue please add this line
The text was updated successfully, but these errors were encountered: