Unauthenticated file upload (Security)

Noqode · 2025-03-05T10:15:15.070Z

A client recently had a pen test on their Bubble app. Any advice on handling unauthenticated file uploads?

image595×208 21.1 KB

image592×306 32.3 KB

@fede.bubble @josh

patrick.white · 2025-03-05T10:19:17.912Z

This has been a vulnerability for far too long. Main forum for this issue: Axios Upload

Doesn’t seem to be any way to prevent anyone from just uploading files via an axios command. smh

Noqode · 2025-03-05T10:22:48.043Z

@fede.bubble Can you kindly raise this internally? This was highlighted to us by an external pentest. Feels quite ridicilous, i’m able to add files to any bubble app, with unauthenticated access.

randomanon · 2025-03-05T10:33:25.913Z

I was under the impression that this had recently been patched. Guess not.

They’ve known about this for years. They’ll just tell you, “it’s not a big deal we’ll delete the files if this happens to you.”

Noqode · 2025-03-05T10:51:22.971Z

Just sent this to one of my apps, without authentication.

image1722×223 12.7 KB

fede.bubble · 2025-03-05T19:19:33.219Z

The team is aware of this and reviewing options

Jici · 2025-03-05T20:51:26.839Z

Absolutely no and more, I found some workaround for larger files!

Easy file upload to Bubble using API fileupload Tips

Ok. So from insomnia, I was able to send a file (private if needed) larger than 50 mb. But you need to have Bubble element ID that point to a fileuploader element set to max file size. After, the first step will be to send a POST request to https://yourdomain/version-test/fileupload/geturlwith this payload (you can replace the version to live if needed) {"public":true,"service":"bubble","timezone_string":"America/Toronto","serialized_context":{"element_id":"aaaaa","current_date_time":174112660…

I agree this is a security issue, but also think this kind of endpoint need to be available for dev. So maybe add a request to use api key @fede.bubble if the origin is outside of the Bubble app/server?

nocodeventure · 2025-03-05T20:53:35.847Z

Yes, this needs to be an authenticated endpoint👍

fede.bubble · 2025-03-05T21:29:10.173Z

I asked on your behalf:
Here’s some more context on a potential fix.

the easy answer is, that wouldn’t change much to the overall security model - if this endpoint is “legal” from a plugin used inside your app in a way that is accessible if you’re not logged in, then that would still be required to stay open. the “origin” is also fakeable, so it’s not something that would add meaningful security

Jici · 2025-03-05T21:57:16.299Z

I forget that if not done by a browser, this can be fakeable. Whitelisting Bubble IP could be better? If the request come from Bubble IP, allowed, if not, api key requested?

nocodeventure · 2025-03-06T06:02:46.293Z

I don’t think we should confuse the matter too much, the first step would be to disable public access to uploading files to any bubble app without having to use an api token.

@fede.bubble i hope you were answering jici. It’s still a problem on our end and we’ll be losing an enterprise customer potentially if this isn’t addressed.

alexcooney5 · 2025-03-06T09:03:16.706Z

I agree that this needs to be fixed, but would kindly suggest that the Bubble team gives some advance warning if there’s going to be a change to the /fileupload endpoint.

There are plugins out there with 1000’s of installs that use this endpoint.

Changing how it works without advance warning could cause a lot of apps to break.

@fede.bubble

nocodeventure · 2025-03-06T09:11:47.716Z

Agreed, it should be an experimental feature or something you can configure in the API tab.

Noqode · 2025-03-14T12:52:44.962Z

@fede.bubble Do we have an update on this issue? It’s quite serious for enterprise users.