Undefined fieldname

[faust64]

Hi,

I have someone pentesting a NodeJS application, which crashes in some cases.
In those occasions, logs would show something like the following:

	"error": {
		"stack": "TypeError: Cannot read property 'length' of undefined\n    at parsePath (/app/node_modules/append-field/lib/parse-path.js:13:17)\n    at appendField (/app/node_modules/append-field/index.js:5:15)\n    at Busboy.<anonymous> (/app/node_modules/multer/lib/make-middleware.js:92:7)\n    at Busboy.emit (events.js:314:20)\n    at Busboy.emit (/app/node_modules/busboy/lib/main.js:38:33)\n    at PartStream.onEnd (/app/node_modules/busboy/lib/types/multipart.js:261:15)\n    at PartStream.emit (events.js:326:22)\n    at endReadableNT (_stream_readable.js:1241:12)\n    at processTicksAndRejections (internal/process/task_queues.js:84:21)",
		"message": "Cannot read property 'length' of undefined"
	},
	"level": "error",
	"message": "uncaughtException: Cannot read property 'length' of undefined\nTypeError: Cannot read property 'length' of undefined\n    at parsePath (/app/node_modules/append-field/lib/parse-path.js:13:17)\n    at appendField (/app/node_modules/append-field/index.js:5:15)\n    at Busboy.<anonymous> (/app/node_modules/multer/lib/make-middleware.js:92:7)\n    at Busboy.emit (events.js:314:20)\n    at Busboy.emit (/app/node_modules/busboy/lib/main.js:38:33)\n    at PartStream.onEnd (/app/node_modules/busboy/lib/types/multipart.js:261:15)\n    at PartStream.emit (events.js:326:22)\n    at endReadableNT (_stream_readable.js:1241:12)\n    at processTicksAndRejections (internal/process/task_queues.js:84:21)",
	"stack": "TypeError: Cannot read property 'length' of undefined\n    at parsePath (/app/node_modules/append-field/lib/parse-path.js:13:17)\n    at appendField (/app/node_modules/append-field/index.js:5:15)\n    at Busboy.<anonymous> (/app/node_modules/multer/lib/make-middleware.js:92:7)\n    at Busboy.emit (events.js:314:20)\n    at Busboy.emit (/app/node_modules/busboy/lib/main.js:38:33)\n    at PartStream.onEnd (/app/node_modules/busboy/lib/types/multipart.js:261:15)\n    at PartStream.emit (events.js:326:22)\n    at endReadableNT (_stream_readable.js:1241:12)\n    at processTicksAndRejections (internal/process/task_queues.js:84:21)",

So... it starts in append-field: https://github.com/LinusU/node-append-field/blob/master/lib/parse-path.js#L13

key is undefined. We can't get key.length.

parse-path is called from append-field index.js: https://github.com/LinusU/node-append-field/blob/master/index.js#L5

directly passing what's been received to appendField, without validating input.
Considering last commit on that library is over 5 years old, I'm tempted not to touch it.

That appendField is called from multus, that transmits whatever it received from a field event: https://github.com/expressjs/multer/blob/master/lib/make-middleware.js#L83-L92

While append-field did not do any input sanitation, multer introduces a few checks, yet doesn't look for fieldname not being undefined.

AFAIU, multer receives that event from busboy, around here: https://github.com/mscdex/busboy/blob/master/lib/types/multipart.js#L258-L265

And here too, nothing would ensure that fieldname was actually initialized.
Not sure which part should be fixed ... In doubt, I'll submit a PR here.

[mscdex]

If you can provide a minimal reproduction against the current master branch, let me know.