5

I have a REST web service that accepts a bunch of fields. These fields are going have processing and eventually become part of an email.

enter image description here

When I am building up the email, the field called message.image will later become rc.image and it will be added to the HTML email via

...
var body &= "<p><img src='#EncodeForHTMLAttribute(rc.image)#' alt='#EncodeForHTMLAttribute(rc.image_name)#'></p>"; 
...

My concern is that this could be still be vulnerability

James A Mohler
  • 11,060
  • 15
  • 46
  • 72
  • 2
    I'm sure you're sanitizing the content of the text fields, but are you verifying the content of the image upload is actually an image with the correct mime-type and not some kind of data packet? – Adrian J. Moreno Jun 08 '20 at 15:40
  • I am not doing any verifying right now. I am not sure what kind of verifying even needs to be done. – James A Mohler Jun 08 '20 at 19:15
  • 1
    It's basically an upload, so most anything that applies to image file uploads is probably applicable https://owasp.org/www-community/vulnerabilities/Unrestricted_File_Upload – SOS Jun 09 '20 at 00:27
  • 1
    @AdrianJ.Moreno To quote the great Pete Freitag, "Never trust a mime." :-) https://www.petefreitag.com/presentations/cfsummit/2015/security-workshop.pdf – Shawn Jun 11 '20 at 17:05
  • @Shawn Yes, that's why I use a library like https://github.com/arimus/jmimemagic to validate the file's mime-type on the server as part of the upload validation routine. – Adrian J. Moreno Jun 11 '20 at 20:46

0 Answers0