Resolve "Fuzzing Errors /api/upload"

2025-05-12 19:22:21 -04:00 · 2020-05-08 09:10:18 -07:00 · 2020-05-08 09:10:18 -07:00 · 853ace7d83
commit 853ace7d83
parent 9157dee69f
5 changed files with 46 additions and 5 deletions
--- a/matweb/rest_api.py
+++ b/matweb/rest_api.py
@ -28,11 +28,15 @@ class APIUpload(Resource):
        args = req_parser.parse_args()
        try:
            file_data = base64.b64decode(args['file'])
-        except binascii.Error as err:
-            abort(400, message='Failed decoding file: ' + str(err))
+        except (binascii.Error, ValueError):
+            abort(400, message='Failed decoding file')

        file = FileStorage(stream=io.BytesIO(file_data), filename=args['file_name'])
-        filename, filepath = utils.save_file(file, self.upload_folder)
+        try:
+            filename, filepath = utils.save_file(file, self.upload_folder)
+        except ValueError:
+            abort(400, message='Invalid Filename')
+
        parser, mime = utils.get_file_parser(filepath)

        if parser is None: