[File Upload] Mask TempFile Path

Forge Component
(19)
Published on 2018-09-05 by Carlos Alfaro
19 votes
Published on 2018-09-05 by Carlos Alfaro

Hello,

We are using this component to upload files with no issue. However, a security test reveals a vulnerability on the internal path disclosure in the JSON response of the file upload.

Do we have an option to mask it or if I can do it myself in the code, can someone point me where to change?

Thanks in advance!

I think you should do this yourself in code. You could link it to an internal entity where you translate it to the target file (this way if the mask is not found, you will not return the file).

Joey Moree wrote:

I think you should do this yourself in code. You could link it to an internal entity where you translate it to the target file (this way if the mask is not found, you will not return the file).

Thanks for the quick reply.

I tried digging inside the code. I saw where it sets the the path but I couldn't find where this path is used.

My goal is just to make this path not interpret-able to the public. My idea was to just convert this to Base64 with salt.

You could do that, but if somebody catches note your salt they could potentialy still access the files you'd rather not have them to.