fix(http): prevent JSON payloads from spoofing UploadedFile (original) #459
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of changes
An API consumer is currently able to manually specify a JSON payload matching the shape of
UploadedFile
and Deepkit will accept it. This opens the application up to exploitation by bad actors providing payloads with sensitive paths.While the developer could verify against the
uploadedFiles
property ofHttpRequest
to prevent against this manually, I believe this should be something the framework protects against, plus has the benefit of cleaner code in controllers.Relinquishment of Rights
Please mark following checkbox to confirm that you relinquish all rights of your changes: