GitHub Bounties💵 paid workby pinehill99scored by google/gemini-2.5-flash

SecureBananaLabs/bug-bounty: upload endpoint accepts empty file submissions as successful uploads

Visit project ↗Discussion ↗

💵 Funded work— see “Deliver it” below for how to respond.

Opportunity

AI-buildable

Traction

Creativity

The take

effort: ~weekend

This is a bounty to fix a specific bug in a Node.js Express API: the `/api/uploads` endpoint incorrectly returns a 201 success status even when no file is present in the multipart request. The task is to ensure requests without a file receive a 400 Bad Request and to add a regression test.

Demand & gap

Painkillerdemand 76

Demand

Will. to pay

Gap

Buyer

Enterprise / orgs

The gap in what exists: The gap is this specific, known bug that needs fixing, with an explicit bounty offered for its resolution.
Wedge to win: The wedge is simply delivering a correct, tested fix for the identified bug to claim the bounty.
Reputation value (worth doing free for proof) — 60/100: Successfully completing a bounty on a public GitHub repository provides tangible proof of coding and debugging skills, enhancing a developer's portfolio for future contract work.
Likely monetization: fixed-price bounty

Deliver it

A starter prompt for Claude Code, what you'll need, and how to reach them.

You are a senior Node.js developer. The task is to fix a bug in a given Express.js application's upload endpoint and add a regression test. Fork the repository `SecureBananaLabs/bug-bounty`. The issue is #2850, where `POST /api/uploads` returns `201` even without a `file` field in a multipart request. The goal is to make it return `400` with `status: "no-file"` for missing files and reserve `201` for actual successful uploads. Add a route-level regression test for this specific missing-file case. Ensure the fix adheres to existing code style and testing patterns. Focus on the `POST /api/uploads` route. Stack is Node.js with Express.js. Deliver a pull request. Your first step is to locate the relevant route handler and identify where `req.file` or similar file presence check should occur.

Prerequisites — cost & what to learn

GitHub accountFree · Free✓ in your stack
Standard for any GitHub-based development.
Node.js (LTS version)Free · Free

How you'd build it

1Fork the SecureBananaLabs/bug-bounty repository.
2Locate the `POST /api/uploads` route handler in the Node.js Express application.
3Implement a middleware or modify the existing handler to check for `req.file` or similar file presence before processing the upload.
4If no file is present, return a 400 status code with an appropriate error message (e.g., `{'success': false, 'message': 'No file uploaded'}`).
5Add a new test case to the existing API test suite that specifically asserts a 400 response for requests to `/api/uploads` without a file.
6Submit a pull request to the original repository with the fix and the new test.

Risks & moats

The existing codebase might be complex or poorly documented, making it harder to pinpoint the exact location for the fix.
Setting up the local development environment for the project (dependencies, database if any) might take longer than expected.
The issue states that only the original author can solve it, which might require creating a duplicate issue or direct communication to work around.
Ensuring the regression test integrates cleanly with their existing testing framework without causing conflicts.

Original context

Bounty (amount on the issue). ## Bug `POST /api/uploads` currently returns `201` with `success: true` even when the multipart request does not include a `file` field. The response reports `status: "no-file"`, but it is still treated as a successful upload by HTTP status and response shape. ## Expected fix Reject upload requests that do not include a file with a clear `400` response, and keep successful upload responses reserved for requests that actually include `req.file`. Add route-level regression coverage for the missing-file case. ## Scope This issue is limited to missing-file handling in `POST /api/uploads` and focused API test coverage. This issue is limited only to the creator of this issue. This means that only the issue author can attempt to solve this issue. If you would like to work on it, please create another issue with the same contents and refer to issue #743 for more information. References #743.