Add server side validation for uploaded file types #173960
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SiddharthMantri
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
|
/ci |
jeramysoucy
requested changes
Dec 28, 2023
x-pack/plugins/security/public/account_management/user_profile/utils.ts
Outdated
Show resolved
Hide resolved
|
|
||
| const [, mimeType] = matches; | ||
|
|
||
| if (!IMAGE_FILE_TYPES.includes(mimeType)) { |
There was a problem hiding this comment.
Should we also constrain the image size (automatically resize) as we do via the UI?
https://github.com/elastic/kibana/blob/079db3e7ebcbed934c39d0efe67821317fe9eaec/x-pack/plugins/security/public/account_management/user_profile/utils.ts#L63C8-L63C8
I did notice that at some point the payload max size kicks in, which would limit the incoming image size, but not to same degree that the UI resizes.
{
"statusCode": 413,
"error": "Request Entity Too Large",
"message": "Payload content length greater than maximum allowed: 1048576"
}
There was a problem hiding this comment.
You can see that if I upload via API, the image is much more clear because it is not resized:
But if I upload via the UI, it gets resized:
There was a problem hiding this comment.
Good idea! As image resizing is done via the Image and Canvas APIs on the browser, we'll need to use libraries to do the same for the node server which means adding a new dependency. Where does this dependency go? Top level package.json?
There was a problem hiding this comment.
Adding a separate issue for this. https://github.com/elastic/security/issues/1868
|
In testing this PR I noticed that the Avatar image upload on the Edit User Profile page behaves not as I would expect. So long as you've uploaded an image file, any subsequent non-supported file dragged to the image input does not provide any feedback. I will create an issue for this. |
|
/ci |
|
/ci |
jeramysoucy
approved these changes
Jan 22, 2024
|
@elasticmachine merge upstream |
💚 Build Succeeded
Metrics [docs]Async chunks
Page load bundle
History
To update your PR or re-run it, just comment with: |
cnasikas
approved these changes
Jan 30, 2024
kibanamachine
added
v8.13.0
backport:skip
nreese
pushed a commit
to nreese/kibana
that referenced
this pull request
Jan 31, 2024
## Summary Closes elastic/security#1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
WafaaNasr
pushed a commit
to WafaaNasr/kibana
that referenced
this pull request
Feb 5, 2024
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
WafaaNasr
pushed a commit
to WafaaNasr/kibana
that referenced
this pull request
Feb 6, 2024
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this pull request
Feb 15, 2024
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
CoenWarmer
pushed a commit
to CoenWarmer/kibana
that referenced
this pull request
Feb 15, 2024
## Summary Closes https://github.com/elastic/security/issues/1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
fkanout
pushed a commit
to fkanout/kibana
that referenced
this pull request
Mar 4, 2024
## Summary Closes elastic/security#1839 ## Fixes - Introduced a MIME type check for the server endpoint for image upload. The check runs against the same allowed file types for the UI and returns an error if not matched. ### Tesing 1. Use the `POST kbn://internal/security/user_profile/_data` endpoint with a body as follows (substituting your own base64 image string): ``` { "avatar": { "imageUrl": "[image as base64 encoded string]" } } ``` 2. The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each. 3. In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs. 4. In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs. ## Release notes --------- Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Closes https://github.com/elastic/security/issues/1839
Fixes
Tesing
POST kbn://internal/security/user_profile/_dataendpoint with a body as follows (substituting your own base64 image string):The beginning of the base64 string should look something like "data:image/png;base64,...", where 'png' is the image format. Verify that all supported image formats work and the API returns 200 for each.
In the base64 string, change the image format (e.g. 'png') to a non-supported format (e.g. 'gnp') and verify a 415 "Unsupported Media Type" error occurs.
In the base64 string, change the "data:image/png;base64" to "data:file/pdf;base64" and verify a 415 "Unsupported Media Type" error occurs.
Release notes