TypeBot: Unauthenticated arbitrary s3 object write in generate-upload-url via unsanitized fileName

An anonymous visitor to any published Typebot that includes a file-input block can obtain a valid `sessionId` by starting the bot. They then send a `POST` to `/api/blocks/file-input/v3/generate-upload-url` with a `fileName` containing forward-slash path injection (e.g., `evil/path/inject/payload.html`). The server constructs an S3 key under the `public/` prefix using this unsanitized `fileName` and returns a presigned PUT URL that does not enforce `Content-Type`. The attacker can then `PUT` attacker-controlled HTML, SVG, or JS content with an arbitrary `Content-Type` to that URL, achieving arbitrary object write in the shared object store. This enables stored XSS when the uploaded file is served from the application's storage origin. [CWE-22] [CWE-79] [ref_id=1]

The unauthenticated `POST /api/blocks/file-input/v3/generate-upload-url` endpoint is exposed via `builderPublicProcedure` in `packages/blocks/fileInput/src/api/router.ts:41`. The handler in `packages/blocks/fileInput/src/api/handleGenerateUploadUrl.ts` concatenates the unsanitized `fileName` input directly into the S3 object key, and `packages/lib/src/s3/generatePresignedPutUrl.ts` issues a presigned PUT URL that does not bind `Content-Type`. The same pattern exists in the deprecated V1/V2 handlers and the builder upload endpoint. [ref_id=1]

The advisory recommends deriving the object key server-side from a UUID and the extension from an allowed MIME type rather than using the client-supplied `fileName`. It also recommends binding and enforcing `Content-Type` in the presigned upload (e.g., via a POST policy that pins key-prefix, content-type, and size), and serving user uploads from a separate origin with `X-Content-Type-Options: nosniff` and `Content-Disposition: attachment`. The patch is not shown in the bundle, but the advisory states the issue is fixed in version 3.17.0. [ref_id=1]