Skip to content

fix: GHSA-r899-h629-j84r#10521

Open
mtrezza wants to merge 2 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-r899-h629-j84r-v9
Open

fix: GHSA-r899-h629-j84r#10521
mtrezza wants to merge 2 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-r899-h629-j84r-v9

Conversation

@mtrezza

@mtrezza mtrezza commented Jun 22, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member

Summary by CodeRabbit

Release Notes

  • Bug Fixes

    • Tightened file upload Content-Type validation when the filename extension can’t be recognized.
    • Malformed Content-Type values are now reliably rejected with clear “Invalid Content-Type” errors.
    • Subtype values are validated against the configured extension restrictions, improving consistency.

  • Tests

    • Expanded upload validation test coverage for malformed and vendor Content-Type scenarios.
    • Updated purchase-related test fixtures to reflect the correct file content-type format.

@parse-github-assistant

parse-github-assistant Bot commented Jun 22, 2026

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ca8ee797-9473-4460-9204-1850d74c9d7d

📥 Commits

Reviewing files that changed from the base of the PR and between bbf7731 and 0588da3.

📒 Files selected for processing (3)
  • spec/ParseFile.spec.js
  • spec/PurchaseValidation.spec.js
  • src/Routers/FilesRouter.js
🚧 Files skipped from review as they are similar to previous changes (1)
  • src/Routers/FilesRouter.js
📝 Walkthrough

Walkthrough

FilesRouter.createHandler now computes isExtensionRecognized earlier and replaces the prior contentTypeExtension fallback with strict type/subtype parsing of the Content-Type header. Malformed values (no slash, empty subtype) are rejected with "Invalid Content-Type.". Five new spec tests cover rejection of missing slash, empty subtype, extension-less files, and wildcard bypass; a test fixture is updated to use proper text/plain format.

Changes

Strict Content-Type Validation in File Upload

Layer / File(s) Summary
Stricter Content-Type parsing in createHandler
src/Routers/FilesRouter.js		 isExtensionRecognized is computed earlier; the contentTypeExtension fallback is replaced with explicit type/subtype splitting. Malformed Content-Type values now produce FILE_SAVE_ERROR with "Invalid Content-Type.".
Test coverage for malformed and valid Content-Type cases
spec/ParseFile.spec.js		 Five new tests assert that malformed Content-Type values (missing slash, empty subtype) are rejected; that the rejection applies to files without extensions; that fileExtensions: ['*'] bypasses the check; and that a valid but MIME-unrecognized vendor type is accepted.
Fixture update for proper Content-Type format
spec/PurchaseValidation.spec.js		 The createProduct() test fixture updates Parse.File contentType from 'text' to 'text/plain' to comply with the new strict parsing requirements.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

  • parse-community/parse-server#10191: Modifies the same createHandler code path for parsing upload Content-Type when a filename extension isn't recognized, directly overlapping with this PR's strict parsing changes.
  • parse-community/parse-server#10489: Also updates FilesRouter.js to handle malformed/unparseable Content-Type during extension blocklist validation and adds tests for those branches.
  • parse-community/parse-server#10505: Changes FilesRouter.createHandler and spec/ParseFile.spec.js around fileExtensions validation to prevent extension blocklist bypass via mismatched Content-Type/extension combinations.
🚥 Pre-merge checks | ✅ 4 | ❌ 3

❌ Failed checks (2 warnings, 1 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning The PR description is completely empty; no content was provided by the author to describe the issue, approach, or tasks. Add a PR description following the template with sections for Issue, Approach, and Tasks to explain the security fix and changes made.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Engage In Review Feedback ❓ Inconclusive GitHub PR review comments are not accessible through available tools; verification requires direct GitHub PR interface access. To verify this check, access PR #10521 on GitHub directly at #10521 to examine review comments, discussions, and commits.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The PR title begins with 'fix:' prefix which is one of the required prefixes, and clearly references a security advisory (GHSA-r899-h629-j84r) matching the security-focused changes.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed PR fixes stored XSS vulnerability by strictly validating Content-Type headers to prevent malformed types that enable MIME sniffing attacks. Implementation correctly parses type/subtype format, vali...

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.44.0)
spec/ParseFile.spec.js

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 22, 2026
View reviewed changes
@codecov

codecov Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.67%. Comparing base (4d3465c) to head (0588da3).

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha   #10521      +/-   ##
==========================================
+ Coverage   92.66%   92.67%   +0.01%     
==========================================
  Files         193      193              
  Lines       16971    16980       +9     
  Branches      248      248              
==========================================
+ Hits        15726    15737      +11     
+ Misses       1224     1222       -2     
  Partials       21       21

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mtrezza