[$30] able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab #269

rprakash20 · 2020-07-12T15:17:28Z

Steps to Reproduce

Open https://skill-search.topcoder-dev.com/ web app
Login with tonyj /appirio123
Select topcoder as organization
Navigate to third tab
Now on your system, take a image file and change its's extension to ".xlsx"
Now click on browse and select the file whose extension is changes in previous step and upload
Notice the result

Screenshots or Screen Capture

Current Results

able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab

Expected Results

application must validate the MIME type of the file uploaded before saving it. This can be a big security risk.

Browser version and OS version

Device: MacBook Pro 13 inch
Browser: Chrome Version 83.0.4103.116 (Official Build) (64-bit)
OS Version: macOS Catalina 10.15.4

callmekatootie · 2020-07-17T14:49:56Z

Valid bug.

callmekatootie · 2020-07-25T06:41:24Z

Expected: In the backend (under the src folder), in the api handle, detect the file type using https://www.npmjs.com/package/file-type module and reject if the file type is not among the supported file types

Note that for csv and xls, the module will return undefined and that is ok - in such a case, just ensure that the file.type is in the approved list

cwdcwd · 2020-07-25T06:43:31Z

Contest https://www.topcoder.com/challenges/30134277 has been created for this ticket.

This is an automated message for lazybaer via Topcoder X

cwdcwd · 2020-07-25T06:53:57Z

Contest https://www.topcoder.com/challenges/30134277 has been updated - it has been assigned to Suman-953556.

This is an automated message for lazybaer via Topcoder X

callmekatootie · 2020-07-26T06:36:09Z

@Giri-Suman I am afraid I have to open this for others to work on

cwdcwd · 2020-07-26T06:37:42Z

Contest https://www.topcoder.com/challenges/30134277 has been updated - it has been assigned to cagdas001.

This is an automated message for lazybaer via Topcoder X

Add mime-type check at `UploadService#create`. Addresses topcoder-archive#269

cagdas001 · 2020-07-26T11:34:03Z

PR: #608

cwdcwd · 2020-07-26T17:19:30Z

Payment task has been updated: https://software.topcoder.com/review/actions/ViewProjectDetails?pid=30134277

This is an automated message for lazybaer via Topcoder X

callmekatootie self-assigned this Jul 16, 2020

callmekatootie removed their assignment Jul 17, 2020

callmekatootie added the bug Something isn't working label Jul 17, 2020

wdprice added the high priority Must-fix issue label Jul 20, 2020

wdprice added this to the v1.0 - Initial Launch milestone Jul 20, 2020

callmekatootie self-assigned this Jul 21, 2020

callmekatootie changed the title ~~able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab~~ [$30] able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab Jul 25, 2020

callmekatootie removed their assignment Jul 25, 2020

callmekatootie added the tcx_OpenForPickup label Jul 25, 2020

Giri-Suman self-assigned this Jul 25, 2020

cwdcwd added tcx_Assigned and removed tcx_OpenForPickup labels Jul 25, 2020

Giri-Suman pushed a commit that referenced this issue Jul 25, 2020

issue #269 fixed

3acfd99

Giri-Suman added the tcx_ReadyForReview label Jul 25, 2020

Giri-Suman mentioned this issue Jul 25, 2020

issue #269 fixed #594

Closed

callmekatootie added tcx_Feedback and removed tcx_ReadyForReview labels Jul 25, 2020

callmekatootie removed tcx_Assigned tcx_Feedback labels Jul 26, 2020

callmekatootie unassigned Giri-Suman Jul 26, 2020

callmekatootie added the tcx_OpenForPickup label Jul 26, 2020

cagdas001 self-assigned this Jul 26, 2020

cwdcwd added tcx_Assigned and removed tcx_OpenForPickup labels Jul 26, 2020

cagdas001 added a commit to cagdas001/u-bahn-app that referenced this issue Jul 26, 2020

fix(upload): add mime-type check at file uploads

43f8f8c

Add mime-type check at `UploadService#create`. Addresses topcoder-archive#269

cagdas001 mentioned this issue Jul 26, 2020

fix(upload): add mime-type check at file uploads #608

Merged

cagdas001 added the tcx_ReadyForReview label Jul 26, 2020

callmekatootie added tcx_FixAccepted and removed tcx_ReadyForReview labels Jul 26, 2020

callmekatootie closed this as completed Jul 26, 2020

cwdcwd added the tcx_Paid label Jul 26, 2020

snyk-bot mentioned this issue Jan 27, 2022

[Snyk] Security upgrade swagger-ui-express from 4.1.4 to 4.2.0 #687

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[$30] able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab #269

[$30] able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab #269

rprakash20 commented Jul 12, 2020

callmekatootie commented Jul 17, 2020

callmekatootie commented Jul 25, 2020

cwdcwd commented Jul 25, 2020

cwdcwd commented Jul 25, 2020

callmekatootie commented Jul 26, 2020

cwdcwd commented Jul 26, 2020

cagdas001 commented Jul 26, 2020

cwdcwd commented Jul 26, 2020

[$30] able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab #269

[$30] able to upload all types of files after changing the extension to ".xlsx" in upload profile data tab #269

Comments

rprakash20 commented Jul 12, 2020

Steps to Reproduce

Screenshots or Screen Capture

Current Results

Expected Results

Browser version and OS version

callmekatootie commented Jul 17, 2020

callmekatootie commented Jul 25, 2020

cwdcwd commented Jul 25, 2020

cwdcwd commented Jul 25, 2020

callmekatootie commented Jul 26, 2020

cwdcwd commented Jul 26, 2020

cagdas001 commented Jul 26, 2020

cwdcwd commented Jul 26, 2020