Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not handled DecodeError on the server side on file upload with double extension #8544

Open
3 of 4 tasks
murmuruuu opened this issue Apr 19, 2024 · 1 comment
Open
3 of 4 tasks

Not handled DecodeError on the server side on file upload with double extension #8544

murmuruuu opened this issue Apr 19, 2024 · 1 comment
Labels
feature:st.file_uploader status:needs-triage Has not been triaged by the Streamlit team type:bug Something isn't working

Comments

@murmuruuu
Copy link

Checklist

  • I have searched the existing issues for similar issues.
  • I added a very descriptive title to this issue.
  • I have provided sufficient information below to help reproduce this issue.

Summary

Hello streamlit team,

first of all thank you for the great work!
We have developed an application using streamlit, deployed our application as a container using Azure App services and in order to tackle the security concerns we have been performing penetration tests.

A minor finding was related to improper error handling, as both on client side and the server side, a traceback should not be displayed because this can pose security risks.

We can't solve it on the application side as the error gets displayed from the streamlit scripts.

Reproducible Code Example

try:
    with st.form("file-upload-form", clear_on_submit=True):
        uploaded_file = st.file_uploader(label='Please select a file.', accept_multiple_files=False, type="xlsx")
        submitted = st.form_submit_button("Upload")
except Exception as e:
    msg = "The file could not be uploaded."
    logger.error(msg)
    st.write(msg)
    raise ValueError(msg)

Steps To Reproduce

  1. Download BurpSuite https://portswigger.net/burp/communitydownload
  2. Onboard yourself with:
    - https://portswigger.net/burp/documentation/desktop/getting-started/intercepting-http-traffic
    - https://portswigger.net/burp/documentation/desktop/getting-started/modifying-http-requests
  3. Access the application from the browser from BurpSuite
  4. Upload a file with double extension: e.g. test_file.php.xlsx
  5. After file upload, enable "Incercepting" and update the file extension in the raw message removing .xlsx:
    image
    image
  6. Click forward 2-4 times
  7. DecodeError is displayed on the server side:
    image

Expected Behavior

I expect that the DecodeError is properly handled, no traceback is displayed on server but rather a custom message.

Current Behavior

Error message on server:

�DecodeError��Error parsing message���File "/usr/local/lib/python3.9/site-packages/streamlit/web/server/browser_websocket_handler.py", line 164, in on_message
    msg.ParseFromString(payload)

Handled error on client:
image

Is this a regression?

  • Yes, this used to work in a previous version.

Debug info

  • Streamlit version: 1.29.0
  • Python version: 3.9
  • Operating System: OS FROM python:3.9-slim
  • Browser: Chrome

Additional Information

No response
@murmuruuu murmuruuu added status:needs-triage Has not been triaged by the Streamlit team type:bug Something isn't working labels Apr 19, 2024
@github-actions GitHub Actions
Copy link

If this issue affects you, please react with a 👍 (thumbs up emoji) to the initial post.

Your feedback helps us prioritize which bugs to investigate and address first.

Visits

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature:st.file_uploader status:needs-triage Has not been triaged by the Streamlit team type:bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LukasMasuch @murmuruuu