naxon / laravel-url-uploaded-file Goto Github PK

When you check if the file is valid than i get some error;

$source = UrlUploadedFile::createFromUrl($url);
dump($source->isValid());
dump($source->getErrorMessage());

"The file "" was not uploaded due to an unknown error."

⚠️ Potential Vulnerability in laravel-url-uploaded-file

👋 Hello, @Naxon - @wapwn has disclosed a potential vulnerability in your repository. To validate or invalidate this potential vulnerability, please visit https://huntr.dev/bounties/1-packagist-naxon/laravel-url-uploaded-file and join our community in helping secure open-source code.

☎️ Need further support?

Come and join us on our Discord and a member of our team will be happy to help! 🤗

cc - @JamieSlome

Hey,

I'm not sure if it's the responsibility of this library, but accepting a URL from user input and handling the resulting file might have some security implications.

For example:

• the scheme might be something other than http/https
• the scheme might be missing
• the URL might point to something like /etc/passwd
• the URL might point to some internal URL which you don't want to expose (like the AWS Instance Metadata endpoint)

Do you think checks / validations for the above points should / could be part of this library, or is that outside of its scope / responsibilities?

I am shifting projects over to use PHP 8 and your library that I use is locked at 7.4. Is it compatible with 8 and if so, can it be upgraded so I don't need to fork?

When i create a file from url, the file is not valid.

$source = UrlUploadedFile::createFromUrl('https://ny2m44ls0z.b-cdn.net/w_1280,h_720/s3-siris/940a5248-4d5b-4629-a00e-182c1ce4251d.jpg')
dump($source);

Response

Naxon\UrlUploadedFile\UrlUploadedFile {[#1098]()
  -test: false
  -originalName: ""
  -mimeType: "application/octet-stream"
  -error: 0
  #hashName: null
  path: "/tmp"
  filename: "url-file-eh0Tqw"
  basename: "url-file-eh0Tqw"
  pathname: "/tmp/url-file-eh0Tqw"
  extension: ""
  realPath: "/tmp/url-file-eh0Tqw"
  aTime: 2022-03-10 14:30:37
  mTime: 2022-03-10 14:30:37
  cTime: 2022-03-10 14:30:37
  inode: 10228269
  size: 192254
  perms: 0100600
  owner: 33
  group: 1000
  type: "file"
  writable: true
  readable: true
  executable: false
  file: true
  dir: false
  link: false
}

Is there something what i do wrong?