From 853ace7d83424f85d903f6ffe2352bf41f86b7ce Mon Sep 17 00:00:00 2001
From: jfriedli
Date: Fri, 8 May 2020 09:10:18 -0700
Subject: Resolve "Fuzzing Errors /api/upload"

---
 matweb/frontend.py |  6 +++++-
 matweb/rest_api.py | 10 +++++++---
 matweb/utils.py    |  2 ++
 3 files changed, 14 insertions(+), 4 deletions(-)

(limited to 'matweb')

diff --git a/matweb/frontend.py b/matweb/frontend.py
index 2e25467..8295f4e 100644
--- a/matweb/frontend.py
+++ b/matweb/frontend.py
@@ -53,8 +53,12 @@ def upload_file():
         if not uploaded_file.filename:
             flash('No selected file')
             return redirect(request.url)
+        try:
+            filename, filepath = utils.save_file(uploaded_file, current_app.config['UPLOAD_FOLDER'])
+        except ValueError:
+            flash('Invalid Filename')
+            return redirect(request.url)
 
-        filename, filepath = utils.save_file(uploaded_file, current_app.config['UPLOAD_FOLDER'])
         parser, mime = utils.get_file_parser(filepath)
 
         if parser is None:
diff --git a/matweb/rest_api.py b/matweb/rest_api.py
index 4098050..a07d2d2 100644
--- a/matweb/rest_api.py
+++ b/matweb/rest_api.py
@@ -28,11 +28,15 @@ class APIUpload(Resource):
         args = req_parser.parse_args()
         try:
             file_data = base64.b64decode(args['file'])
-        except binascii.Error as err:
-            abort(400, message='Failed decoding file: ' + str(err))
+        except (binascii.Error, ValueError):
+            abort(400, message='Failed decoding file')
 
         file = FileStorage(stream=io.BytesIO(file_data), filename=args['file_name'])
-        filename, filepath = utils.save_file(file, self.upload_folder)
+        try:
+            filename, filepath = utils.save_file(file, self.upload_folder)
+        except ValueError:
+            abort(400, message='Invalid Filename')
+
         parser, mime = utils.get_file_parser(filepath)
 
         if parser is None:
diff --git a/matweb/utils.py b/matweb/utils.py
index ec9b99c..20c213d 100644
--- a/matweb/utils.py
+++ b/matweb/utils.py
@@ -65,6 +65,8 @@ def get_supported_extensions():
 
 def save_file(file, upload_folder):
     filename = secure_filename(file.filename)
+    if not filename:
+        raise ValueError('Invalid Filename')
     filepath = os.path.join(upload_folder, filename)
     file.save(os.path.join(filepath))
     return filename, filepath
-- 
cgit v1.3