Avoid non-blob webresources fields on multipart requests

Change-type: patch
balena-io · Apr 12, 2024 · a5f6022 · a5f6022
1 parent 6b58f09
commit a5f6022
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 9 deletions.
diff --git a/src/webresource-handler/index.ts b/src/webresource-handler/index.ts
@@ -67,6 +67,7 @@ export const getWebresourceHandler = (): WebResourceHandler | undefined => {
 const isFileInValidPath = async (
 	fieldname: string,
 	req: Express.Request,
+	odataRequest: uriParser.ParsedODataRequest,
 ): Promise<boolean> => {
 	if (req.method !== 'POST' && req.method !== 'PATCH') {
 		return false;
@@ -77,10 +78,6 @@ const isFileInValidPath = async (
 		return false;
 	}
 	const model = getModel(apiRoot);
-	const odataRequest = uriParser.parseOData({
-		url: req.url,
-		method: req.method,
-	});
 	const sqlResourceName = sbvrUtils.resolveSynonym(odataRequest);
 
 	const table = model.abstractSql.tables[sqlResourceName];
@@ -124,6 +121,15 @@ export const getUploaderMiddlware = (
 		const bb = busboy({ headers: req.headers });
 		let isAborting = false;
 
+		const parsedOdataRequest = uriParser.parseOData({
+			url: req.url,
+			method: req.method,
+		});
+		const webResourcesFieldNames = getWebResourceFields(
+			parsedOdataRequest,
+			false,
+		);
+
 		const finishFileUpload = () => {
 			req.unpipe(bb);
 			req.on('readable', req.read.bind(req));
@@ -151,7 +157,9 @@ export const getUploaderMiddlware = (
 			completeUploads.push(
 				(async () => {
 					try {
-						if (!(await isFileInValidPath(fieldname, req))) {
+						if (
+							!(await isFileInValidPath(fieldname, req, parsedOdataRequest))
+						) {
 							filestream.resume();
 							return;
 						}
@@ -182,7 +190,15 @@ export const getUploaderMiddlware = (
 		// multipart requests will have two main parts, the file contents and the form fields
 		// This receives the form fields and transforms them into a standard JSON body
 		// This is a similar behavior as previous multer library did
-		bb.on('field', (name, val) => {
+		bb.on('field', async (name, val) => {
+			if (webResourcesFieldNames.includes(name)) {
+				isAborting = true;
+				bb.emit(
+					'error',
+					new errors.BadRequestError('WebResource field must be a blob.'),
+				);
+				return;
+			}
 			req.body[name] = val;
 		});
 
@@ -207,17 +223,17 @@ export const getUploaderMiddlware = (
 			}
 		});
 
-		bb.on('error', async (err) => {
+		bb.on('error', async (err: Error) => {
 			await clearFiles();
 			finishFileUpload();
-			next(err);
+			sbvrUtils.handleHttpErrors(req, res, err);
 		});
 		req.pipe(bb);
 	};
 };
 
 const getWebResourceFields = (
-	request: uriParser.ODataRequest,
+	request: uriParser.ODataRequest | uriParser.ParsedODataRequest,
 	useTranslations = true,
 ): string[] => {
 	// Translations will use modifyFields(translated) rather than fields(original) so we need to

diff --git a/test/06-webresource.test.ts b/test/06-webresource.test.ts
@@ -484,6 +484,16 @@ describe('06 webresources tests', function () {
 					expect(await isEventuallyDeleted(uniqueFilename)).to.be.true;
 				});
 
+				it('should not accept webresource payload that is not a blob', async () => {
+					const res = await supertest(testLocalServer)
+						.post(`/${resourceName}/organization`)
+						.field('name', 'John')
+						.field(resourcePath, 'not a blob')
+						.expect(400);
+
+					expect(res.body).to.equal('WebResource field must be a blob.');
+				});
+
 				it('should not accept webresource payload on application/json requests', async () => {
 					const uniqueFilename = `${randomUUID()}_${filename}`;