[vulnerability] surface for phishing attacks in file upload endpoint

[314abh]

In regards to /__/file-upload/ endpoint, there is no validation checks for if the file is is an HTML or XML file. In case it's an HTML file, phishing attacks are possible. For example:

const formData = new FormData();
formData.append("file", new Blob(
  ['<script>// arbitrary JS code execution possible here. can be used for phishing attacks.</script>'],
  {type: "text/html"}
), "phishing_site.html");

const res = await fetch("https://gooey.ai/__/file-upload/", {
  method: "POST",
  body: formData
});
console.log(res.status, await res.json());

Possible fix/remediation

Don't allow HTML files to be uploaded or at least prohibit type: "text/html". Looking at the context it seems that the endpoint is intended to only handle image and file uploads. Otherwise, when returning the file to the user, set content-type: application/octet-stream and content-disposition: attachment in the headers. Other ways include restricting public access on the S3 or GCS bucket being used.

Context

@app.post("/__/file-upload/")
def file_upload(request: Request, form_data: FormData = fastapi_request_form):
    from wand.image import Image

    file = form_data["file"]
    data = file.file.read()
    if not data:
        return Response(content="No file uploaded", status_code=400)
    filename = file.filename
    content_type = file.content_type

# ... ... ...
# ... ... ...

    user = ensure_request_app_user(request)
    workspace = get_current_workspace(user, request.session)

P.S. even unauthenticated users can upload files as of now, by the way. That must be seen too.