Vulnerability CVE-2022-29622 is reported by Whitesource

[johnchen05]

https://www.whitesourcesoftware.com/vulnerability-database/CVE-2022-29622

[GrosSacASac]

Conditions to be vulnerable

• eval (user input) file name as code (for example unescaped in html)
• use the keepextension option
• use linux or ios (where <> are valid file chars)
• not using the filename option , or using it without validating user input
• use version 3.2.3 or earlier

Please install version 3.2.4 to have safer defaults

[andyedwardsibm]

Is there an official view of whether the v2 stream is also affected? The latest on https://www.npmjs.com/package/formidable right now is 2.0.1 and the advisory at GHSA-8cp3-66vr-3r4c has no information on the version ranges affected. Looking at #857 and

formidable/src/Formidable.js

Line 527 in 48521d7

_getExtension(str) {

it looks like it is

[GrosSacASac]

v2 has other vulnerabilities as well,
thank you for reminding me to tag v3 as latest, I will do it soon

[krsubbar]

@GrosSacASac I still see 2.01 as the version at https://www.npmjs.com/package/formidable . Can we mark v3 as latest as you suggested above?

[wxhthx]

@GrosSacASac As I fond the v3.2.4 ver on npm, When can we make the v3.2.4 tag on github ? We need the github tag

[kolbma]

WTF...?!
@GrosSacASac
Where is here the problem, when someone uploads a valid filename to the system with HTML-Tags and JS in it?

Doesn't the problem only exist in any frontend application showing filenames from the system unfiltered in any browser etc...?!

With this fix you have broken a valid usecase. Invalid filenames are only invalid if the filesystem says they are invalid and fs-module throws exceptions.

Do I miss the real problem here?

[GrosSacASac]

Doesn't the problem only exist in any frontend application showing filenames from the system unfiltered in any browser etc...?!

Correct.

The fix is to help people have safe default even if they blind copy paste code from stack-overflow for example.

If you want to have any filename possible, you can still do it by using the explicit filename option.

Having safe defaults is a principle I adhere to.

[kolbma]

Having safe defaults is a principle I adhere to.

Hopefully you will not get the idea of filename length or special unicode might also be a problem in some of the many client applications and operating systems out there. Never ending story if you'd like to hit this on the wrong side.
Did ever before came anybody to the thoughts to limit the capability of scp, what filenames it may accept because somebody could show a textual directory listing of the server per web application?

[GrosSacASac]

There was already removal of invalid characters from filename in the code since 2011-2010.
If you look at the Pr you will see I only made it work 100% of the time. I did not add it.