Merge pull request #5759 from Countly/johnWeak-master

Add session check to formdata
Countly · Nov 12, 2024 · 4e18341 · 4e18341
2 parents b13fd02 + aff4668
commit 4e18341
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,9 @@ Enterprise fixes:
 - [nps] Fixed bug in the editor where the "internal name" field was not mandatory
 - [ratings] Fixed UI bug where "Internal name" was not a mandatory field
 
+Security:
+- Fixing minor vulnerability that would allow for unauthorized file upload
+
 ## Version 24.05.16
 Fixes:
 - [core] Replaced "Users" with "Sessions" label on technology home widgets

diff --git a/frontend/express/app.js b/frontend/express/app.js
@@ -603,6 +603,10 @@ Promise.all([plugins.dbConnection(countlyConfig), plugins.dbConnection("countly_
     app.use(function(req, res, next) {
         var contentType = req.headers['content-type'];
         if (req.method.toLowerCase() === 'post' && contentType && contentType.indexOf('multipart/form-data') >= 0) {
+            if (!req.session?.uid || Date.now() > req.session?.expires) {
+                res.status(401).send('Unauthorized');
+                return;
+            }
             var form = new formidable.IncomingForm();
             form.uploadDir = __dirname + '/uploads';
             form.parse(req, function(err, fields, files) {