Skip to content

fix: file validation bypass by targeting non file input types during customer file upload #40262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: 2.4-develop
Choose a base branch
from
Open

fix: file validation bypass by targeting non file input types during customer file upload #40262

wants to merge 2 commits into from

Conversation

@SamJUK
Copy link
Contributor

@SamJUK SamJUK commented Oct 30, 2025
edited by m2-assistant bot
Loading

Description (*)

Currently, we can upload files against any attribute types via the customer file upload controllers.

This is not ideal as, we can target non file based types (Select/Hidden/Text) to bypass the expected validation logic that would take place for a Image/File type.

And as far as I am aware, there is no valid reason to be uploading a file, to non file input types (e.g select / text).

This specific functionality is actively being exploited as part of the Session Reaper (CVE-2025-54236) chain to achieve RCE.
https://slcyber.io/assetnote-security-research-center/why-nested-deserialization-is-still-harmful-magento-rce-cve-2025-54236/

This PR restricts the file uploads to only input types that are expected to have file uploads. Whilst leaving the input types configurable to merchants/extension developers via di.xml

Manual testing scenarios (*)

  1. Checkout 2.4-develop

  2. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a select attribute (country_id)
    Note a success message, and the file is present in the pub/media/customer_address directory

  3. Post an arbitrary file to the customer/address_file/upload endpoint, targeting a text attribute (city)
    Note a error message, referencing text based validation error trying to validate a file as a string

  4. Checkout this PR

  5. Repeat Steps 2 & 3, note a friendly error message stating file uploads are unexpected.

  6. Create a image/file based attribute, update the curl command to target that. Upload should succeed.

# ENV Prep
echo "hello-world" > /tmp/hello-world
FORMKEY=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)

# Test post targeting country_id (select type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[country_id]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Test post targeting city (text type)
curl -k --cookie "form_key=$FORMKEY" -F "form_key=$FORMKEY" -F "custom_attributes[city]=@/tmp/hello-world" https://app.luma.test/customer/address_file/upload

# Confirm the file is uploaded to the media file system
find pub/media/customer_address/ -type f
Before Update After Update
Screenshot 2025-10-30 at 23 13 58 Screenshot 2025-10-30 at 23 13 31

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

Resolved issues:

  1. resolves [Issue] fix: file validation bypass by targeting non file input types during customer file upload #40267: fix: file validation bypass by targeting non file input types during customer file upload

@m2-assistant
Copy link

m2-assistant bot commented Oct 30, 2025

Hi @SamJUK. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Oct 30, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email [email protected].

@SamJUK
Copy link
Contributor Author

SamJUK commented Oct 31, 2025

@magento run all tests

@magento-automated-testing
Copy link

magento-automated-testing bot commented Oct 31, 2025

Pull Requests are not mergeable to the mainline. Please merge the latest mainlines to your Pull Requests and restart the builds.

@SamJUK
Copy link
Contributor Author

SamJUK commented Oct 31, 2025

@magento run all tests

@ssx
Copy link
Contributor

ssx commented Oct 31, 2025

Excellent work @SamJUK! I've got a nearly identical PR locally 😂

@J-Wick4
Copy link

J-Wick4 commented Nov 1, 2025

Our Virus security alerted us tonight about malware being uploaded to our Magento 2.4.8-p3 patched store.

Here's the file that was uploaded. I have since made a rule to block the path.
https://www.virustotal.com/gui/file/f1049d0883daa1c6355eb86aacb59e10452fabc6ef0ac9691f22a53f3069597a/community

@SamJUK SamJUK mentioned this pull request Nov 1, 2025
Open
5 tasks
@engcom-Hotel
Copy link
Contributor

engcom-Hotel commented Nov 4, 2025

@magento create issue

@m2-assistant m2-assistant bot mentioned this pull request Nov 4, 2025
Open
5 tasks
@ct-prd-pr-scan
Copy link

ct-prd-pr-scan bot commented Nov 4, 2025

The security team has been informed about this pull request due to the presence of risky security keywords. For security vulnerability reports, please visit Adobe's vulnerability disclosure program on HackerOne or email [email protected].

@engcom-Hotel engcom-Hotel added the Priority: P2 A defect with this priority could have functionality issues which are not to expectations. label Nov 4, 2025
@github-project-automation github-project-automation bot moved this to Pending Review in Pull Requests Dashboard Nov 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Priority: P2 A defect with this priority could have functionality issues which are not to expectations. Progress: pending review

Projects

Pull Requests Dashboard
Status: Pending Review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Issue] fix: file validation bypass by targeting non file input types during customer file upload

4 participants

@SamJUK @ssx @J-Wick4 @engcom-Hotel