Description
The getPresignedPost function in next-ts/src/lib/common/server-actions.ts currently has security vulnerabilities that need to be addressed before release 1:
Issues
- Silent fallback to test paths: If
studentId or filename is undefined/empty, files are written to student-documents/test/test-file without throwing an error
- Path traversal vulnerability:
filename is user-supplied and directly interpolated into the S3 key without sanitization (e.g., ../../other-bucket-path/malicious)
Proposed Solution
- Validate that
studentId and filename are present (throw error if missing or empty)
- Sanitize
filename to prevent path traversal (reject/strip path separators like "/" and "", remove ".." segments)
- Enforce allowed-character regex and max length for filename
- Remove silent fallback defaults when constructing the S3 Key
References
Target
Pre-release 1
Description
The
getPresignedPostfunction innext-ts/src/lib/common/server-actions.tscurrently has security vulnerabilities that need to be addressed before release 1:Issues
studentIdorfilenameis undefined/empty, files are written tostudent-documents/test/test-filewithout throwing an errorfilenameis user-supplied and directly interpolated into the S3 key without sanitization (e.g.,../../other-bucket-path/malicious)Proposed Solution
studentIdandfilenameare present (throw error if missing or empty)filenameto prevent path traversal (reject/strip path separators like "/" and "", remove ".." segments)References
Target
Pre-release 1