From 1f11196b67411f2e4ed8e5690f761a792fa9dc70 Mon Sep 17 00:00:00 2001
From: Eric <eashaw@sailsjs.com>
Date: Wed, 30 Jul 2025 16:47:56 -0500
Subject: [PATCH] Website: Update body parser error handling. (#31427)

Closes: https://github.com/fleetdm/fleet/issues/31418

Changes:
- Updated the body parser middleware to return a 403 response if a
multi-part request is sent to a URL that could be for a static asset.
---
 website/config/http.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/website/config/http.js b/website/config/http.js
index 703f3b7d68..37ebf74c92 100644
--- a/website/config/http.js
+++ b/website/config/http.js
@@ -59,6 +59,9 @@ module.exports.http = {
           // If an error occurs while parsing an incoming request body, we'll return a badRequest response if error.statusCode is between 400-500
           if (_.isNumber(err.statusCode) && err.statusCode >= 400 && err.statusCode < 500) {
             return res.status(400).send(err.message);
+          // If an error occurs and this was a request going to a static asset, return a 403 response.
+          } else if(req.url.match(sails.LOOKS_LIKE_ASSET_RX)) {
+            return res.status(403).send();
           } else {
             sails.log.error('Sending 500 ("Server Error") response: \n', err);
             return res.status(500).send();