Merge pull request from GHSA-c2pj-v37r-2p6h

corazawaf · Jun 25, 2023 · a5239ba · a5239ba
1 parent 82157f8
commit a5239ba
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/internal/bodyprocessors/multipart.go b/internal/bodyprocessors/multipart.go
@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"log"
 	"mime"
 	"mime/multipart"
 	"os"
@@ -25,7 +24,7 @@ func (mbp *multipartBodyProcessor) ProcessRequest(reader io.Reader, v plugintype
 	storagePath := options.StoragePath
 	mediaType, params, err := mime.ParseMediaType(mimeType)
 	if err != nil {
-		log.Fatalf("failed to parse media type: %s", err.Error())
+		return err
 	}
 	if !strings.HasPrefix(mediaType, "multipart/") {
 		return errors.New("not a multipart body")

diff --git a/internal/bodyprocessors/multipart_test.go b/internal/bodyprocessors/multipart_test.go
@@ -77,3 +77,20 @@ Content-Type: text/html
 		}
 	}
 }
+
+func TestInvalidMultipartCT(t *testing.T) {
+	payload := strings.TrimSpace(`
+-----------------------------9051914041544843365972754266
+Content-Disposition: form-data; name="text"
+
+text default
+-----------------------------9051914041544843365972754266
+`)
+	mp := multipartProcessor(t)
+	v := corazawaf.NewTransactionVariables()
+	if err := mp.ProcessRequest(strings.NewReader(payload), v, plugintypes.BodyProcessorOptions{
+		Mime: "multipart/form-data; boundary=---------------------------9051914041544843365972754266; a=1; a=2",
+	}); err == nil {
+		t.Error("multipart processor should fail for invalid content-type")
+	}
+}