New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add server side validation for uploaded file types #173960
Add server side validation for uploaded file types #173960
Conversation
Pinging @elastic/kibana-security (Team:Security) |
/ci |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall looks good! I just had couple of comments/questions.
x-pack/plugins/security/public/account_management/user_profile/utils.ts
Outdated
Show resolved
Hide resolved
|
||
const [, mimeType] = matches; | ||
|
||
if (!IMAGE_FILE_TYPES.includes(mimeType)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we also constrain the image size (automatically resize) as we do via the UI?
https://github.com/elastic/kibana/blob/079db3e7ebcbed934c39d0efe67821317fe9eaec/x-pack/plugins/security/public/account_management/user_profile/utils.ts#L63C8-L63C8
I did notice that at some point the payload max size kicks in, which would limit the incoming image size, but not to same degree that the UI resizes.
{
"statusCode": 413,
"error": "Request Entity Too Large",
"message": "Payload content length greater than maximum allowed: 1048576"
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea! As image resizing is done via the Image and Canvas APIs on the browser, we'll need to use libraries to do the same for the node server which means adding a new dependency. Where does this dependency go? Top level package.json?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Adding a separate issue for this. https://github.com/elastic/security/issues/1868
In testing this PR I noticed that the Avatar image upload on the Edit User Profile page behaves not as I would expect. So long as you've uploaded an image file, any subsequent non-supported file dragged to the image input does not provide any feedback. I will create an issue for this. |
/ci |
/ci |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! I tested with various good and bad inputs, including large images which get rejected due to the payload size.
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
## Summary Closes elastic/security#1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
## Summary Closes elastic/security#1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Summary
Closes https://github.com/elastic/security/issues/1839
Fixes
Tesing
POST kbn://internal/security/user_profile/_data
endpoint with a body as follows (substituting your own base64 image string):The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each.
In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs.
In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs.
Release notes