A client recently had a pen test on their Bubble app. Any advice on handling unauthenticated file uploads?
This has been a vulnerability for far too long. Main forum for this issue: Axios Upload
Doesn’t seem to be any way to prevent anyone from just uploading files via an axios command. smh
1 Like
@fede.bubble Can you kindly raise this internally? This was highlighted to us by an external pentest. Feels quite ridicilous, i’m able to add files to any bubble app, with unauthenticated access.
I was under the impression that this had recently been patched. Guess not.
They’ve known about this for years. They’ll just tell you, “it’s not a big deal we’ll delete the files if this happens to you.”
1 Like
The team is aware of this and reviewing options
4 Likes
Absolutely no and more, I found some workaround for larger files!
I agree this is a security issue, but also think this kind of endpoint need to be available for dev. So maybe add a request to use api key @fede.bubble if the origin is outside of the Bubble app/server?
2 Likes
Yes, this needs to be an authenticated endpointđź‘Ť
I asked on your behalf:
Here’s some more context on a potential fix.
the easy answer is, that wouldn’t change much to the overall security model - if this endpoint is “legal” from a plugin used inside your app in a way that is accessible if you’re not logged in, then that would still be required to stay open. the “origin” is also fakeable, so it’s not something that would add meaningful security
I forget that if not done by a browser, this can be fakeable. Whitelisting Bubble IP could be better? If the request come from Bubble IP, allowed, if not, api key requested?
I don’t think we should confuse the matter too much, the first step would be to disable public access to uploading files to any bubble app without having to use an api token.
@fede.bubble i hope you were answering jici. It’s still a problem on our end and we’ll be losing an enterprise customer potentially if this isn’t addressed.
I agree that this needs to be fixed, but would kindly suggest that the Bubble team gives some advance warning if there’s going to be a change to the /fileupload endpoint.
There are plugins out there with 1000’s of installs that use this endpoint.
Changing how it works without advance warning could cause a lot of apps to break.
3 Likes
Agreed, it should be an experimental feature or something you can configure in the API tab.
3 Likes
@fede.bubble Do we have an update on this issue? It’s quite serious for enterprise users.