From fd86278919556d3682e7e2c856dfccd5beffbfc0 Mon Sep 17 00:00:00 2001 From: Manuel <5673677+mtrezza@users.noreply.github.com> Date: Sat, 21 Oct 2023 01:01:35 +0200 Subject: [PATCH] fix: Server crash when uploading file without extension; fixes security vulnerability [GHSA-792q-q67h-w579](https://github.com/parse-community/parse-server/security/advisories/GHSA-792q-q67h-w579) (#8781) --- spec/ParseFile.spec.js | 28 ++++++++++++++++++++++++++++ src/Routers/FilesRouter.js | 4 ++-- 2 files changed, 30 insertions(+), 2 deletions(-) diff --git a/spec/ParseFile.spec.js b/spec/ParseFile.spec.js index eeab537008..b4fc72bdbd 100644 --- a/spec/ParseFile.spec.js +++ b/spec/ParseFile.spec.js @@ -1364,6 +1364,34 @@ describe('Parse.File testing', () => { ); }); + it('allows file without extension', async () => { + await reconfigureServer({ + fileUpload: { + enableForPublic: true, + fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'], + }, + }); + const headers = { + 'X-Parse-Application-Id': 'test', + 'X-Parse-REST-API-Key': 'rest', + }; + + const values = ['filenamewithoutextension']; + + for (const value of values) { + await expectAsync( + request({ + method: 'POST', + headers: headers, + url: `http://localhost:8378/1/files/${value}`, + body: '\n', + }).catch(e => { + throw new Error(e.data.error); + }) + ).toBeResolved(); + } + }); + it('works with array', async () => { await reconfigureServer({ fileUpload: { diff --git a/src/Routers/FilesRouter.js b/src/Routers/FilesRouter.js index a5322b4c60..408dc81d8f 100644 --- a/src/Routers/FilesRouter.js +++ b/src/Routers/FilesRouter.js @@ -159,9 +159,9 @@ export class FilesRouter { } else if (contentType && contentType.includes('/')) { extension = contentType.split('/')[1]; } - extension = extension.split(' ').join(''); + extension = extension?.split(' ')?.join(''); - if (!isValidExtension(extension)) { + if (extension && !isValidExtension(extension)) { next( new Parse.Error( Parse.Error.FILE_SAVE_ERROR,