I was working on my PDF Merger plugin, trying to add backend support. This entailed needing a way to upload merged files to the database. I stumbled across @aaronsheldon 's post (Native File Operations in Server Actions) explaining the process. In it, he describes how, to upload a file, you must make a POST request to the Bubble.io application’s home url, at the “/fileupload” endpoint.
I wanted to test my plugin in something easier to debug (the plugin editor is atrocious) so I was working with the code locally and using python and Postman to test things out.
Upon trying this in Postman, without ANY authentication, I was able to upload files to my application… At first, I thought Postman was using the session cookies from my browser to authenticate, so I logged into a remote server, and in python, tried the exact same functioning code to post the request. And it worked… without ANY authentication. This is a remote Ubuntu server, i.e. not the Bubble backend.
This is a huge “Unrestricted File Upload” vulnerability. Essentially, anyone can upload any files to any Bubble application, all they need is its URL.
Any malicious actor could (theoretically) send hundreds of file uploads to your application, quickly draining all of your database storage. Then, any file upload/create workflows on an application would fail, severely impacting your applications and associated business with them.
I immediately wrote to the Bubble support team to fix this. This needs to be patched. They don’t seem to care:
For the amount Bubble costs, and their controversial decision to begin cracking down on database storage (which we pay an arm and a leg for), the ability for anyone in the world to flood and fill my database is absolutely absurd.
They need to limit that endpoint to internal servers/same origin only.
I wasn’t going to post about this until it was patched, but they don’t seem to want to patch it, and it needs awareness and outrage in order for them to patch it.
Violation of their own Obligations:
This likely violates Bubble’s own obligations under the Terms of Service:
Bubble will employ industry-standard technical, logical, and physical security measures and practices for the Platform and any Bubble systems on which Direct User Content (as defined in Section 5(a)) is stored or processed designed to preserve the security and integrity of, and prevent unauthorized access to, the Platform, Bubble Sites, and Direct User Content.
@emmanuel there is no way this type of vulnerability is an “industry-standard… security measure”.
“prevent unauthorized access to” is pretty clear…