Skip to content

Fixing vulnerability if file name length to big. #171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 21, 2019
Merged

Fixing vulnerability if file name length to big. #171

merged 7 commits into from
Oct 21, 2019

Conversation

RomanBurunkov
Copy link
Collaborator

Cutting off huge file names by 255 characters.

BTRFS 255 bytes
exFAT 255 UTF-16 characters
ext2 255 bytes
ext3 255 bytes
ext3cow 255 bytes
ext4 255 bytes
FAT32 8.3 (255 UCS-2 code units with VFAT LFNs)
NTFS 255 characters
XFS 255 bytes

@RomanBurunkov
Add length check and uriDecodeFileName to parseFileName
f89bc98
@RomanBurunkov
Update processMultipart.js
a6c3bfd 
Removed uriDecodeFileName, since it is now invoked in parseFileName function.
@coveralls
Copy link

coveralls commented Oct 18, 2019
edited
Loading

Coverage Status

Coverage increased (+0.01%) to 98.326% when pulling b135f2c on RomanBurunkov:master into 054772b on richardgirges:master.

@RomanBurunkov
Update package.json
b276ce2 
- Bump version to 1.1.6-alpha.3
- Update required busboy version to the latest one
- Update test command: use absolute path to _mocha, using relative path causes errors in windows env.
@RomanBurunkov
Merge branch 'master' into master
c0f2c09
@RomanBurunkov
Update README.md
b72be6a 
Add details from which version useTempFiles available.
@RomanBurunkov
Update utilities.spec.js
45ad723 
Add tests for cutting huge names in parseFileName.
@RomanBurunkov
Update utilities.spec.js
b135f2c 
Fix typo: forgot comma.
@RomanBurunkov RomanBurunkov merged commit 63465fa into richardgirges:master Oct 21, 2019
@asafbiton
Copy link

Hi @RomanBurunkov, my name is Asaf and I'm working for Snyk. This PR has popped up in our systems as a potential security issue. Before publishing an advisory about it, we'd like to properly understand the issue at hand. Could you perhaps help me understand the need for this PR? Feel free to reply here or e-mail me directly. Thank you!

@RomanBurunkov
Copy link
Collaborator Author

RomanBurunkov commented Oct 22, 2019 via email
edited
Loading

@dev-trilobyte
Copy link

Hello, i'm a bit confused if this security fix is released already?

You commited this on Oct 18, but Version 1.1.6 shows a release date of Sept 20 (before) but lists this as fixed. And looking at the code iof version 1.1.6 installed via npm this bugfix seems to be there too..

Important for @asafbiton too to mark this as fixed inside their vuln database...

Thanks,
Stefan Seide

@RomanBurunkov
Copy link
Collaborator Author

It is fixed in 1.1.6-alpha.6 and 1.1.6 as well.
You can also check npm advisory about that.

@RomanBurunkov
Copy link
Collaborator Author

https://www.npmjs.com/advisories/1216/versions

This was referenced May 11, 2022
Closed
Closed
@github-actions github-actions bot mentioned this pull request Aug 1, 2022
Open
@onvkwvrv onvkwvrv mentioned this pull request Nov 29, 2023
Closed
This was referenced Dec 8, 2023
Closed
Closed
This was referenced Dec 16, 2023
Closed
Closed
This was referenced Dec 29, 2023
Closed
Closed
Closed
This was referenced Jan 8, 2024
Closed
Closed
@onvkwvrv onvkwvrv mentioned this pull request Jan 17, 2024
Closed
@onvkwvrv onvkwvrv mentioned this pull request Jan 24, 2024
Open
@github-actions github-actions bot mentioned this pull request Jun 6, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement in progress

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@RomanBurunkov @coveralls @asafbiton @dev-trilobyte