-
Notifications
You must be signed in to change notification settings - Fork 261
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upload attack surface - URI malformed error #342
Comments
boly38
added a commit
to boly38/express-fileupload
that referenced
this issue
Dec 15, 2022
HowTo reproduce source: https://stackoverflow.com/questions/28063750/decodeuricomponent-throwing-an-error-uri-malformed HowTo prevent invalid character credit: https://stackoverflow.com/questions/2670037/how-to-remove-invalid-utf-8-characters-from-a-javascript-string Thanks: T.J. Crowder Thanks: Phylogenesis Thanks: loretoparisi
boly38
added a commit
to boly38/express-fileupload
that referenced
this issue
Dec 16, 2022
HowTo reproduce source: https://stackoverflow.com/questions/28063750/decodeuricomponent-throwing-an-error-uri-malformed HowTo prevent invalid character credit: https://stackoverflow.com/questions/2670037/how-to-remove-invalid-utf-8-characters-from-a-javascript-string Thanks: T.J. Crowder Thanks: Phylogenesis Thanks: loretoparisi fix test, lint and remove replaceAll
boly38
added a commit
to boly38/express-fileupload
that referenced
this issue
Dec 16, 2022
HowTo reproduce source: https://stackoverflow.com/questions/28063750/decodeuricomponent-throwing-an-error-uri-malformed HowTo prevent invalid character credit: https://stackoverflow.com/questions/2670037/how-to-remove-invalid-utf-8-characters-from-a-javascript-string Thanks: T.J. Crowder Thanks: Phylogenesis Thanks: loretoparisi fix test, lint and remove replaceAll
Hi @boly38 , Thanks for your suggestion and PR. function decode(input) {
const matcher = /(%[a-f0-9]{2})/gi;
return input.split(matcher)
.map((str) => {
try {
return decodeURIComponent(str);
} catch (err) {
console.log(str, err.message);
return '';
}
})
.join('');
}
let str = 'bug_bounty_upload_%91and%92.txt';
let res = decode(str);
console.log(res); The main idea is firstly try to decodeURIComponent the full string and then if it fails run the custom decode, |
RomanBurunkov
added a commit
to RomanBurunkov/express-fileupload
that referenced
this issue
Sep 15, 2023
RomanBurunkov
added a commit
that referenced
this issue
Sep 20, 2023
Fix issue #342:URI malformed error.
Fixed with #356 in version 1.4.1 |
This was referenced Sep 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
We are using express-fileupload on production public website,
and encounter some regular attack attempts as well (as on many websites).
One of them is a strange POST against an unmapped api endpoint that cause unexpected error:
URI malformed error
Error Full Stack Sample
Pre analysis on how to reproduce
Following a quick search on that kind of
decodeURIComponent
error, I found that some encoded caracters in filename could produce this.How To Reproduce
bug_bounty_upload_%91and%92.txt
select a Body with
form-data
file that point on this file.This is cUrl equivalent
Exected behavior
I expect a fix or a way to avoid this error.
(with an option to generate or not info log ?)
security question
If you reproduce this issue on your side, I think maintainer have to create a security advisory entry
what do you think ?
Best Regards
The text was updated successfully, but these errors were encountered: