Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image upload is not working #507

Open
xhzeem opened this issue Feb 13, 2025 · 4 comments
Open

Image upload is not working #507

xhzeem opened this issue Feb 13, 2025 · 4 comments

Comments

@xhzeem
Copy link

xhzeem commented Feb 13, 2025
edited
Loading

Issue Type

  • Bug Report

Faraday version

5.11

Component Name

WebGui (Image Upload Functionality)

Steps to reproduce

  1. Install Faraday using Docker.
  2. Navigate to any text field that accepts descriptions or resolutions (e.g., when adding a new issue).
  3. Copy an image to your clipboard.
  4. Press CTRL+V to paste the image into the text field.
  5. Notice that instead of the image being uploaded, a placeholder appears:
    • Often as ![image.png]()
    • Or sometimes as ![Uploading_<unique_id>]()
  6. In both cases, the image is never actually uploaded or rendered.
  7. Sometimes it works but once I try to paste a new image I get error that the image already exists because the application tries to add it again under the same name (image.png)
  8. Sometimes I keep getting CSRF issue, even after multiple hard reloads the issue remains

Expected results

When using CTRL+V to paste an image into the description or resolution field, the image should be successfully uploaded and displayed inline.

Screenshots

  • The placeholder text (e.g., ![image.png]() or ![Uploading_<unique_id>]())
  • The absence of the actual image after pasting
Image Image

Environment information

Chrome and Firefox latest version, installation with docker
@ezk06eer
Copy link

@xhzeem when creating a new vuln that feature will not work because of the logic beneath attaching the image, the vulnerability does not exist at that time so the image cant be attached to any vuln. If you create it and then edit it it will work.

Cheers and thanks for the feedback.

@xhzeem
Copy link
Author

xhzeem commented Feb 13, 2025
edited
Loading

this still happens even after creating, please note that there are 3 issues:

  • Notice that instead of the image being uploaded, a placeholder appears but the image is never actually uploaded or rendered.
  • Sometimes it works but once I try to paste a new image I get error that the image already exists because the application tries to add it again under the same name (image.png) -The uploaded image should have a random uuid name so another image can still be uploaded, or upload with image.png(1), image.png(2), etc.. at the end.-
  • Sometimes I keep getting CSRF issue, even after multiple hard reloads the issue remains

And they all happen when editing, not when creating
@ezk06eer

This is the debug when I try to upload an image in an existing vuln which keeps failing with ![Uploading_<unique_id>]()

faraday_app    | [2025-02-13 13:19:06,771] DEBUG in debouncer: Updating workspace: test
faraday_app    | 2025-02-13T13:19:16+0000 - geventwebsocket.handler - INFO {Dummy-293} [pid:23] [handler.py:242 - log_request()]  192.168.107.1 - - [2025-02-13 13:19:16] "GET /manage/test/20 HTTP/1.1" 304 141 0.024007
faraday_app    | 2025-02-13T13:19:17+0000 - faraday.server.api.base - INFO {Dummy-300} [pid:23] [base.py:1493 - _perform_update()]  <VulnerabilityWeb 20> updated
faraday_app    | 2025-02-13T13:19:17+0000 - geventwebsocket.handler - INFO {Dummy-300} [pid:23] [handler.py:242 - log_request()]  192.168.107.1 - - [2025-02-13 13:19:17] "PATCH /_api/v3/ws/test/vulns/20 HTTP/1.1" 200 7075 0.060389
faraday_app    | 2025-02-13T13:19:19+0000 - geventwebsocket.handler - INFO {Dummy-293} [pid:23] [handler.py:242 - log_request()]  192.168.107.1 - - [2025-02-13 13:19:19] "GET /manage/test/20 HTTP/1.1" 304 141 0.024056
faraday_app    | 2025-02-13T13:19:20+0000 - geventwebsocket.handler - INFO {Dummy-293} [pid:23] [handler.py:242 - log_request()]  192.168.107.1 - - [2025-02-13 13:19:20] "GET /manage/test/20 HTTP/1.1" 304 141 0.024882
faraday_app    | 2025-02-13T13:19:21+0000 - faraday.server.api.base - INFO {Dummy-300} [pid:23] [base.py:1493 - _perform_update()]  <VulnerabilityWeb 20> updated
faraday_app    | 2025-02-13T13:19:21+0000 - geventwebsocket.handler - INFO {Dummy-300} [pid:23] [handler.py:242 - log_request()]  192.168.107.1 - - [2025-02-13 13:19:21] "PATCH /_api/v3/ws/test/vulns/20 HTTP/1.1" 200 7128 0.086497
faraday_app    | [2025-02-13 13:19:31,163] DEBUG in app: Calling get_app
faraday_app    | [2025-02-13 13:19:31,164] DEBUG in debouncer: Updating workspace: test
Image

@xhzeem
Copy link
Author

xhzeem commented Feb 14, 2025

After some debuing I found that the issue is related to CSRF token (but it doesn't show the error all the time like in the screenshot above)

Image

So main issue here is related to the CSRF + the uploaded image should be renamed so multiple images can be uploaded without the name conflict issue

Also I just notice that only the description field supports images, so will be nice to return error when trying to paste images in other fields to alert that images can not be uploaded (or just support in all markdown fields)

@xhzeem
Copy link
Author

xhzeem commented Feb 14, 2025

Another issue here is the copy image button always returns vulnerabliity id 0, which makes it broken

Image

Example: (evidence:vulnerability:0:image.png)

If this can be fixed or even better to make the copy copy the markdown link like this one for consistency between pasted ones and uploaded ones: eg: ![image.png](/_api/v3/ws/TEST/vulns/9/attachment/image.png)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ezk06eer @xhzeem