You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have someone pentesting a NodeJS application, which crashes in some cases.
In those occasions, logs would show something like the following:
"error": {
"stack": "TypeError: Cannot read property 'length' of undefined\n at parsePath (/app/node_modules/append-field/lib/parse-path.js:13:17)\n at appendField (/app/node_modules/append-field/index.js:5:15)\n at Busboy.<anonymous> (/app/node_modules/multer/lib/make-middleware.js:92:7)\n at Busboy.emit (events.js:314:20)\n at Busboy.emit (/app/node_modules/busboy/lib/main.js:38:33)\n at PartStream.onEnd (/app/node_modules/busboy/lib/types/multipart.js:261:15)\n at PartStream.emit (events.js:326:22)\n at endReadableNT (_stream_readable.js:1241:12)\n at processTicksAndRejections (internal/process/task_queues.js:84:21)",
"message": "Cannot read property 'length' of undefined"
},
"level": "error",
"message": "uncaughtException: Cannot read property 'length' of undefined\nTypeError: Cannot read property 'length' of undefined\n at parsePath (/app/node_modules/append-field/lib/parse-path.js:13:17)\n at appendField (/app/node_modules/append-field/index.js:5:15)\n at Busboy.<anonymous> (/app/node_modules/multer/lib/make-middleware.js:92:7)\n at Busboy.emit (events.js:314:20)\n at Busboy.emit (/app/node_modules/busboy/lib/main.js:38:33)\n at PartStream.onEnd (/app/node_modules/busboy/lib/types/multipart.js:261:15)\n at PartStream.emit (events.js:326:22)\n at endReadableNT (_stream_readable.js:1241:12)\n at processTicksAndRejections (internal/process/task_queues.js:84:21)",
"stack": "TypeError: Cannot read property 'length' of undefined\n at parsePath (/app/node_modules/append-field/lib/parse-path.js:13:17)\n at appendField (/app/node_modules/append-field/index.js:5:15)\n at Busboy.<anonymous> (/app/node_modules/multer/lib/make-middleware.js:92:7)\n at Busboy.emit (events.js:314:20)\n at Busboy.emit (/app/node_modules/busboy/lib/main.js:38:33)\n at PartStream.onEnd (/app/node_modules/busboy/lib/types/multipart.js:261:15)\n at PartStream.emit (events.js:326:22)\n at endReadableNT (_stream_readable.js:1241:12)\n at processTicksAndRejections (internal/process/task_queues.js:84:21)",
directly passing what's been received to appendField, without validating input.
Considering last commit on that library is over 5 years old, I'm tempted not to touch it.
Hi,
I have someone pentesting a NodeJS application, which crashes in some cases.
In those occasions, logs would show something like the following:
So... it starts in append-field: https://github.com/LinusU/node-append-field/blob/master/lib/parse-path.js#L13
key
is undefined. We can't getkey.length
.parse-path is called from append-field index.js: https://github.com/LinusU/node-append-field/blob/master/index.js#L5
directly passing what's been received to appendField, without validating input.
Considering last commit on that library is over 5 years old, I'm tempted not to touch it.
That appendField is called from multus, that transmits whatever it received from a
field
event: https://github.com/expressjs/multer/blob/master/lib/make-middleware.js#L83-L92While append-field did not do any input sanitation, multer introduces a few checks, yet doesn't look for fieldname not being undefined.
AFAIU, multer receives that event from busboy, around here: https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L258-L265
And here too, nothing would ensure that fieldname was actually initialized.
Not sure which part should be fixed ... In doubt, I'll submit a PR here.
The text was updated successfully, but these errors were encountered: