[File Upload] Mask TempFile Path

Forge Component
(21)
Published on 8 Aug by Renato Pauleta
21 votes
Published on 8 Aug by Renato Pauleta

Hello,

We are using this component to upload files with no issue. However, a security test reveals a vulnerability on the internal path disclosure in the JSON response of the file upload.

Do we have an option to mask it or if I can do it myself in the code, can someone point me where to change?

Thanks in advance!

I think you should do this yourself in code. You could link it to an internal entity where you translate it to the target file (this way if the mask is not found, you will not return the file).

Joey Moree wrote:

I think you should do this yourself in code. You could link it to an internal entity where you translate it to the target file (this way if the mask is not found, you will not return the file).

Thanks for the quick reply.

I tried digging inside the code. I saw where it sets the the path but I couldn't find where this path is used.

My goal is just to make this path not interpret-able to the public. My idea was to just convert this to Base64 with salt.

You could do that, but if somebody catches note your salt they could potentialy still access the files you'd rather not have them to.

Hi Kelvin and Joey,

Having in mind the feedback shared in this post, a new version of the component was published (still under development as more tests are still required) that tries to solve this issue, hiding the file path from the client side. 

Given the way the multiple files are being save server side, actually looks like there is no strong reason to send the path back and forth on each request.

Feel free to test this new version and share your feedback.


Thanks!