Skip to content

feat: Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension #8537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 20, 2023
Merged

feat: Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension #8537

merged 2 commits into from
May 20, 2023
+211 −26

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented May 20, 2023
edited
Loading

Fixes security vulnerability GHSA-9prm-jqwx-45x9.

@parse-github-assistant
Copy link

parse-github-assistant bot commented May 20, 2023
edited
Loading

Thanks for opening this pull request!

  • ❌ Please link an issue that describes the reason for this pull request, otherwise your pull request will be closed. Make sure to write it as Closes: #123 in the PR description, so I can recognize it.

@mtrezza mtrezza changed the base branch from alpha to release-5.x.x May 20, 2023 22:22
@mtrezza mtrezza changed the title fix: 45x9 fix: lts 45x9 May 20, 2023
@parse-github-assistant
Copy link

parse-github-assistant bot commented May 20, 2023

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant bot changed the title fix: lts 45x9 fix: Lts 45x9 May 20, 2023
@mtrezza mtrezza closed this May 20, 2023
@mtrezza mtrezza reopened this May 20, 2023
@codecov
Copy link

codecov bot commented May 20, 2023
edited
Loading

Codecov Report

Patch coverage: 100.00% and project coverage change: +0.03 🎉

Comparison is base (4f0f0ec) 94.09% compared to head (600c17b) 94.12%.

❗ Current head 600c17b differs from pull request most recent head 8d5dc93. Consider uploading reports for the commit 8d5dc93 to get more accurate results

Additional details and impacted files 
@@                Coverage Diff                @@
##           release-5.x.x    #8537      +/-   ##
=================================================
+ Coverage          94.09%   94.12%   +0.03%     
=================================================
  Files                183      183              
  Lines              13776    13798      +22     
=================================================
+ Hits               12963    12988      +25     
+ Misses               813      810       -3
Impacted Files Coverage Δ
src/Options/Definitions.js 100.00% <ø> (ø)
src/Options/index.js 100.00% <ø> (ø)
src/Config.js 89.09% <100.00%> (+0.16%) ⬆️
src/Routers/FilesRouter.js 93.29% <100.00%> (+0.82%) ⬆️

... and 3 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Do you have feedback about the report comment? Let us know in this issue.

@mtrezza mtrezza changed the title fix: Lts 45x9 feat: Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension May 20, 2023
@mtrezza mtrezza merged commit 196e05f into parse-community:release-5.x.x May 20, 2023
parseplatformorg pushed a commit that referenced this pull request May 20, 2023
@semantic-release-bot
chore(release): 5.5.0 [skip ci]
ac90cb8 
# [5.5.0](5.4.3...5.5.0) (2023-05-20)

### Features

* Add new Parse Server option `fileUpload.fileExtensions` to restrict file upload by file extension; this fixes a security vulnerability in which a phishing attack could be performed using an uploaded HTML file; by default the new option only allows file extensions matching the regex pattern `^[^hH][^tT][^mM][^lL]?$`, which excludes HTML files; this fix is released as a patch version given the severity of this vulnerability, however, if your app currently depends on uploading files with HTML file extensions then this may be a breaking change and you could allow HTML file upload by setting the option to `['.*']` ([#8537](#8537)) ([196e05f](196e05f))
@parseplatformorg
Copy link
Contributor

parseplatformorg commented May 20, 2023

🎉 This change has been released in version 5.5.0

@parseplatformorg parseplatformorg added the state:released-5.x.x Released as LTS version label May 20, 2023
@mtrezza mtrezza deleted the fix-lts branch May 20, 2023 23:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

state:released-5.x.x Released as LTS version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mtrezza @parseplatformorg @dblythy