Skip to main content

Insecure file upload - Files Limit

Description

There is no limit to the number of files that can be uploaded as avatar per unit of time, and uploading a new one does not delete the previous one from the server.

Impact

Upload large numbers of files over the upload limit size one after another, using up server storage resources indiscriminately.

Recommendation

Delete previous avatar files when uploading a new one, apply throttling.

Threat

Attacker from the Internet with valid session token to upload files.

Expected Remediation Time

⌚ 45 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: L
  • Privileges required: L
  • User interaction: N
  • Scope: U
  • Confidentiality: N
  • Integrity: L
  • Availability: N

Temporal

  • Exploit code madurity: X
  • Remediation level: X
  • Report confidence: X

Result

  • Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:X/RL:X/RC:X
  • Score:
    • Base: 4.3
    • Temporal: 4.3
  • Severity:
    • Base: Medium
    • Temporal: Medium

Code Examples

Compliant code

The application performs server side validation of all input data to be uploaded

const upload = async (userFile) => {
try {
//Implement function to check user uploads
const cleanfile = clearUserFile(userFile);
const title = 'My file';
const form = new FormData();
form.append('title', title);
form.append('file', cleanfile);
const resp = await axios.post('http://localhost:3000/upload', form, {
headers: {
...form.getHeaders(),
}
});
if (resp.status === 200) {
return 'Upload complete';
}
} catch(err) {
return new Error(err.message);
}
}

Non compliant code

The application uploads files without verifying the content

const upload = async (userFile) => {
try {
const title = 'My file';
const form = new FormData();
form.append('title', title);
//Uploading file without verifying data
form.append('file', userfile);
const resp = await axios.post('http://localhost:3000/upload', form, {
headers: {
...form.getHeaders(),
}
});
if (resp.status === 200) {
return 'Upload complete';
}
} catch(err) {
return new Error(err.message);
}
}

Requirements