Skip to content

JS: add req.files as a RequestInputAccess in the Express model#4331

Merged
codeql-ci merged 2 commits intogithub:mainfrom
erik-krogh:DVNA-files
Sep 25, 2020
Merged

JS: add req.files as a RequestInputAccess in the Express model#4331
codeql-ci merged 2 commits intogithub:mainfrom
erik-krogh:DVNA-files

Conversation

@erik-krogh
Copy link
Contributor

@erik-krogh erik-krogh commented Sep 23, 2020
edited
Loading

Gets a TP/TN for this example vulnerability from Damn Vulnerable NodeJS Application.

For most intents and purposes req.files behaves the same as reg.body (it is completely user controllable).
So I just reused the kind = "body".

@github-actions github-actions bot added the JS label Sep 23, 2020
@erik-krogh erik-krogh marked this pull request as ready for review September 23, 2020 18:39
@erik-krogh erik-krogh requested a review from a team as a code owner September 23, 2020 18:39
esbena
esbena requested changes Sep 24, 2020
View reviewed changes
Copy link
Contributor

@esbena esbena left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, some minor comment on the test case.
Is .files really only relevant for express?

@erik-krogh
Copy link
Contributor Author

erik-krogh commented Sep 24, 2020

Is .files really only relevant for express?

I think so. The req.files property seems to be created by the express-fileupload middleware.

@codeql-ci codeql-ci merged commit ea5feb2 into github:main Sep 25, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@esbena esbena esbena approved these changes

Assignees

No one assigned

Labels

JS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erik-krogh @esbena @codeql-ci