External/nuclei
1
0
Fork 0
mirror of https://github.com/projectdiscovery/nuclei.git synced 2025-12-18 08:35:26 +00:00
Code Issues Packages Projects Releases Wiki Activity
nuclei/pkg/fuzz/dataformat/multipart.go
Dwi Siswanto d2cf69aebb
feat(fuzz): enhance MultiPartForm with metadata APIs (#6486) 
* feat(fuzz): enhance `MultiPartForm` with metadata APIs

* add `SetFileMetadata`/`GetFileMetadata` APIs for
  file metadata management.
* implement RFC-2046 boundary validation
  (max 70 chars).
* add boundary validation in `Decode` method.

* fix `filesMetadata` initialization.
* fix mem leak by removing defer from file reading
  loop.
* fix file metadata overwriting by storing first
  file's metadata instead of last.

Closes #6405, #6406

Signed-off-by: Dwi Siswanto <git@dw1.io>

* chore(fuzz): satisfy lint errs

Signed-off-by: Dwi Siswanto <git@dw1.io>

---------

Signed-off-by: Dwi Siswanto <git@dw1.io>
2025-09-22 22:09:24 +05:30

232 lines
5.1 KiB
Go
Raw Permalink Blame History

package dataformat
import (
"bytes"
"fmt"
"io"
"mime"
"mime/multipart"
"net/textproto"
mapsutil "github.com/projectdiscovery/utils/maps"
)
type MultiPartForm struct {
boundary string
filesMetadata map[string]FileMetadata
}
type FileMetadata struct {
ContentType string
Filename string
}
var (
_ DataFormat = &MultiPartForm{}
)
// NewMultiPartForm returns a new MultiPartForm encoder
func NewMultiPartForm() *MultiPartForm {
return &MultiPartForm{
filesMetadata: make(map[string]FileMetadata),
}
}
// SetFileMetadata sets the file metadata for a given field name
func (m *MultiPartForm) SetFileMetadata(fieldName string, metadata FileMetadata) {
if m.filesMetadata == nil {
m.filesMetadata = make(map[string]FileMetadata)
}
m.filesMetadata[fieldName] = metadata
}
// GetFileMetadata gets the file metadata for a given field name
func (m *MultiPartForm) GetFileMetadata(fieldName string) (FileMetadata, bool) {
if m.filesMetadata == nil {
return FileMetadata{}, false
}
metadata, exists := m.filesMetadata[fieldName]
return metadata, exists
}
// IsType returns true if the data is MultiPartForm encoded
func (m *MultiPartForm) IsType(data string) bool {
// This method should be implemented to detect if the data is multipart form encoded
return false
}
// Encode encodes the data into MultiPartForm format
func (m *MultiPartForm) Encode(data KV) (string, error) {
var b bytes.Buffer
w := multipart.NewWriter(&b)
if err := w.SetBoundary(m.boundary); err != nil {
return "", err
}
var Itererr error
data.Iterate(func(key string, value any) bool {
var fw io.Writer
var err error
if fileMetadata, ok := m.filesMetadata[key]; ok {
if filesArray, isArray := value.([]any); isArray {
for _, file := range filesArray {
h := make(textproto.MIMEHeader)
h.Set("Content-Disposition",
fmt.Sprintf(`form-data; name=%q; filename=%q`,
key, fileMetadata.Filename))
h.Set("Content-Type", fileMetadata.ContentType)
if fw, err = w.CreatePart(h); err != nil {
Itererr = err
return false
}
if _, err = fw.Write([]byte(file.(string))); err != nil {
Itererr = err
return false
}
}
return true
}
}
// Add field
var values []string
switch v := value.(type) {
case nil:
values = []string{""}
case string:
values = []string{v}
case []string:
values = v
case []any:
values = make([]string, len(v))
for i, item := range v {
if item == nil {
values[i] = ""
} else {
values[i] = fmt.Sprint(item)
}
}
default:
values = []string{fmt.Sprintf("%v", v)}
}
for _, val := range values {
if fw, err = w.CreateFormField(key); err != nil {
Itererr = err
return false
}
if _, err = fw.Write([]byte(val)); err != nil {
Itererr = err
return false
}
}
return true
})
if Itererr != nil {
return "", Itererr
}
_ = w.Close()
return b.String(), nil
}
// ParseBoundary parses the boundary from the content type
func (m *MultiPartForm) ParseBoundary(contentType string) error {
_, params, err := mime.ParseMediaType(contentType)
if err != nil {
return err
}
m.boundary = params["boundary"]
if m.boundary == "" {
return fmt.Errorf("no boundary found in the content type")
}
// NOTE(dwisiswant0): boundary cannot exceed 70 characters according to
// RFC-2046.
if len(m.boundary) > 70 {
return fmt.Errorf("boundary exceeds maximum length of 70 characters")
}
return nil
}
// Decode decodes the data from MultiPartForm format
func (m *MultiPartForm) Decode(data string) (KV, error) {
if m.boundary == "" {
return KV{}, fmt.Errorf("boundary not set, call ParseBoundary first")
}
// Create a buffer from the string data
b := bytes.NewBufferString(data)
r := multipart.NewReader(b, m.boundary)
form, err := r.ReadForm(32 << 20) // 32MB is the max memory used to parse the form
if err != nil {
return KV{}, err
}
defer func() {
_ = form.RemoveAll()
}()
result := mapsutil.NewOrderedMap[string, any]()
for key, values := range form.Value {
if len(values) > 1 {
result.Set(key, values)
} else {
result.Set(key, values[0])
}
}
if m.filesMetadata == nil {
m.filesMetadata = make(map[string]FileMetadata)
}
for key, files := range form.File {
fileContents := []interface{}{}
var fileMetadataList []FileMetadata
for _, fileHeader := range files {
file, err := fileHeader.Open()
if err != nil {
return KV{}, err
}
buffer := new(bytes.Buffer)
if _, err := buffer.ReadFrom(file); err != nil {
_ = file.Close()
return KV{}, err
}
_ = file.Close()
fileContents = append(fileContents, buffer.String())
fileMetadataList = append(fileMetadataList, FileMetadata{
ContentType: fileHeader.Header.Get("Content-Type"),
Filename: fileHeader.Filename,
})
}
result.Set(key, fileContents)
// NOTE(dwisiswant0): store the first file's metadata instead of the
// last one
if len(fileMetadataList) > 0 {
m.filesMetadata[key] = fileMetadataList[0]
}
}
return KVOrderedMap(&result), nil
}
// Name returns the name of the encoder
func (m *MultiPartForm) Name() string {
return "multipart/form-data"
}
Reference in New Issue View Git Blame Copy Permalink