Typescript Accept Any Mime
Description
Detects when TypeScript code accepts any MIME type in HTTP Accept headers by default, without proper content type restrictions. This creates a security risk by allowing potentially malicious content types to be processed, which could lead to content sniffing attacks or malicious file uploads.
Detection Strategy
• Check for HTTP request handler configurations or route definitions in TypeScript code
• Look for Accept header configurations that use default/unrestricted values or wildcards (*/*)
• Flag instances where content type restrictions are not explicitly defined
• Verify if the code allows processing of any MIME type without proper validation
Vulnerable code example
import axios from 'axios';
// Unsafe: Setting Accept header to wildcard allows processing potentially dangerous content types
axios.defaults.headers.post["Accept"] = "*/*";
// Dangerous: Using wildcard Accept header in instance configuration
const instance = axios.create();
instance.defaults.headers.common["Accept"] = "*/*"; // Security risk: accepts any content type...✅ Secure code example
import axios from 'axios';
// Safe: Explicitly specify accepted content type
axios.defaults.headers.post["Accept"] = "application/json";
// Safe: Create instance with specific Accept header
const instance = axios.create();
instance.defaults.headers.common["Accept"] = "application/json"; // Only accept JSON responses...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.