Skip to content

Commit

Permalink
refactor: Server crash when uploading file without extension; fixes s…
Browse files Browse the repository at this point in the history
…ecurity vulnerability [GHSA-792q-q67h-w579](GHSA-792q-q67h-w579) (#8779)
  • Loading branch information
mtrezza authored Oct 20, 2023
1 parent 5dd3aa0 commit fe02d3e
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 2 deletions.
28 changes: 28 additions & 0 deletions spec/ParseFile.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -1432,6 +1432,34 @@ describe('Parse.File testing', () => {
}
});

it('allows file without extension', async () => {
await reconfigureServer({
fileUpload: {
enableForPublic: true,
fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'],
},
});
const headers = {
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
};

const values = ['filenamewithoutextension'];

for (const value of values) {
await expectAsync(
request({
method: 'POST',
headers: headers,
url: `http://localhost:8378/1/files/${value}`,
body: '<html></html>\n',
}).catch(e => {
throw new Error(e.data.error);
})
).toBeResolved();
}
});

it('works with array', async () => {
await reconfigureServer({
fileUpload: {
Expand Down
4 changes: 2 additions & 2 deletions src/Routers/FilesRouter.js
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,9 @@ export class FilesRouter {
} else if (contentType && contentType.includes('/')) {
extension = contentType.split('/')[1];
}
extension = extension.split(' ').join('');
extension = extension?.split(' ')?.join('');

if (!isValidExtension(extension)) {
if (extension && !isValidExtension(extension)) {
next(
new Parse.Error(
Parse.Error.FILE_SAVE_ERROR,
Expand Down

0 comments on commit fe02d3e

Please sign in to comment.