fix(http): prevent JSON payloads from spoofing UploadedFile #460
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of changes
An API consumer is currently able to manually specify a JSON payload matching the shape of UploadedFile and Deepkit will accept it. This opens the application up to exploitation by bad actors providing payloads with sensitive paths.
While the developer could verify against the uploadedFiles property of HttpRequest to prevent against this manually, I believe this should be something the framework protects against, plus has the benefit of cleaner code in controllers.
This is an alternate implementation to #459, as #459 does not work when the HttpBody/HttpBodyValidation type argument is a complex type. The
typeof UploadedFileSymbol | null
union resolves the issue described here.My preference would have been to use a Symbol as a key so that it doesn't show up in JSON serialization or IntelliSense, but I couldn't get the symbol to work through deserialization, so even valid uploads would fail post-deserialization validation.
Relinquishment of Rights
Please mark following checkbox to confirm that you relinquish all rights of your changes: