a0abb99f76
This PR also removes the java folder because it is not implemented and has no implementation plan. This PR was made spontaneously during Daniel's onboarding. --------- Co-authored-by: daniel-teuchert-sonarsource <141642369+daniel-teuchert-sonarsource@users.noreply.github.com>
51 lines
1.0 KiB
Plaintext
51 lines
1.0 KiB
Plaintext
== How to fix it in Multer
|
|
|
|
=== Code examples
|
|
|
|
==== Noncompliant code example
|
|
|
|
The following code sample is vulnerable because it implicitly uses `/tmp` or
|
|
`/var/tmp` as upload directory.
|
|
|
|
[source,javascript,diff-id=2,diff-type=noncompliant]
|
|
----
|
|
const crypto = require('node:crypto');
|
|
const multer = require('multer');
|
|
|
|
let diskStorage = multer.diskStorage({
|
|
filename: (req, file, cb) => {
|
|
const buf = crypto.randomBytes(20);
|
|
cb(null, buf.toString('hex'))
|
|
}
|
|
}); // Noncompliant
|
|
|
|
let diskUpload = multer({
|
|
storage: diskStorage,
|
|
});
|
|
----
|
|
|
|
==== Compliant code example
|
|
|
|
[source,javascript,diff-id=2,diff-type=compliant]
|
|
----
|
|
const multer = require('multer');
|
|
|
|
let diskStorage = multer.diskStorage({
|
|
filename: (req, file, cb) => {
|
|
const buf = crypto.randomBytes(20);
|
|
cb(null, buf.toString('hex'))
|
|
},
|
|
destination: (req, file, cb) => {
|
|
cb(null, '/uploads/')
|
|
}
|
|
});
|
|
|
|
let diskUpload = multer({
|
|
storage: diskStorage,
|
|
});
|
|
----
|
|
|
|
=== How does this work?
|
|
|
|
include::../../common/fix/allowed-folder.adoc[]
|