Ahmed Bouhuolia
ace15dbdeb
The multer-s3 storage factory used `Date.now().toString()` as the S3 key
for every upload, yielding a 13-digit ms-epoch key. The keyspace for any
time window equals the millisecond count of that window, so an attacker
holding a registered account can enumerate keys for known upload moments
(e.g. ~10 minutes for a 10-second window with a 10-proxy rotation), then
download files via `GET /attachments/:id/presigned-url`. Two uploads in
the same millisecond also collide and silently overwrite each other.
Replace the key callback with `${organizationId}/${randomUUID()}`:
* `randomUUID()` from `node:crypto` is a v4 UUID with 122 bits of
entropy, making brute-force enumeration infeasible.
* The `<organizationId>/` prefix (read from the `nestjs-cls` store
populated by `ClsModule` middleware in `App.module.ts`) limits the
blast radius of any hypothetical bucket-listing leak to a single
tenant.
Add a tenant migration applying `unique` to `documents.key` so any future
key collision surfaces as a DB error instead of a silent S3 overwrite.
Legacy 13-digit numeric keys remain accessible via their stored values;
only new uploads use the new format.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Simple, smart online accounting software for small and medium businesses.
What's Bigcapital?
Bigcapital is a smart and open-source accounting and inventory software, Bigcapital keeps all business finances in right place and automates accounting processes to give the business powerful and intelligent financial statements and reports to help in making decisions.
Getting Started
We've got serveral options on dev and prod depending on your need to get started quickly with Bigcapital.
Self-hosted
Bigcapital is available open-source under AGPL license. You can host it on your own servers using Docker.
Docker
To get started with self-hosted with Docker and Docker Compose, take a look at the Docker guide.
Development
Local Setup
To get started locally, we have a guide to help you.
Gitpod
- Click the Gitpod button below to open this project in development mode.
- This will open and configure the workspace in your browser with all the necessary dependencies.
Headless Accounting
You can integrate Bigcapital API with your system to organize your transactions in double-entry system to get the best financial reports.
Resources
- Documentation - Learn how to use.
- API Reference - API reference docs
- Contribution - Welcome to any contributions.
- Discord - Ask for help.
- Bug Tracker - Notify us new bugs.
Changelog
Please see Releases for more information what has changed recently.
Contact us
Meet our sales team for any commercial inquiries.
Recognition
Contributors
Thanks goes to these wonderful people (emoji key):
This project follows the all-contributors specification. Contributions of any kind welcome!