fix: Add problematic MIME types to default value of Parse Server option fileUpload.fileExtensions

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.
• Link this pull request to an issue.

Issue

The fix to address GHSA-9prm-jqwx-45x9 was to add a new Parse Server option fileUpload.fileExtensions to restrict file upload of specific file extensions. A specific concern were HTML file extensions.

A quick research shows that the following MIME types are currently mapped to text/html:

.html
.htm
.shtml
.xhtml

The current default value for fileUpload.fileExtensions is ^(?!(h|H)(t|T)(m|M)(l|L)?$) which doesn't include xhtml and shtml.

Thanks to @luryus for bringing this to our attention.

Approach

Add xhtml and shtml to the default value. The new default value would be ^(?![xXsS]?[hH][tT][mM][lL]?$).

Summary by CodeRabbit

• Bug Fixes
  • Updated file upload validation to block additional HTML-related file formats by default, including MIME-mapped variants.

[parse-github-assistant]

🚀 Thanks for opening this pull request!

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the default regex pattern for file upload extension filtering across configuration and documentation files. The pattern changed from ^(?!(h|H)(t|T)(m|M)(l|L)?$) to ^(?![xXsS]?[hH][tT][mM][lL]?$) to expand exclusion of HTML-like file extensions and their MIME-mapped variants.

Changes

Cohort / File(s)	Summary
File Upload Options Default Pattern Update src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js	Updated the fileExtensions default regex pattern in FileUploadOptions from `^(?!(h

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Regex pattern correctness: Verify the new negative lookahead pattern (^(?![xXsS]?[hH][tT][mM][lL]?$)) correctly matches intended file extensions (html, htm, xhtml, xht, shtml, sht) and no others
• Consistency validation: Confirm the pattern update is identical across all three files and no inconsistencies exist
• Security implications: Assess whether the expanded exclusion list addresses the intended security concern without over-blocking

Pre-merge checks and finishing touches

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly and specifically describes the main change: adding problematic MIME types to the default fileExtensions option value.
Description check	✅ Passed	The PR description includes all critical sections: Issue (with security advisory reference), Approach (explaining the regex change), and context about MIME types. The required template sections are substantially filled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e9fc20d and 4f910fd.

📒 Files selected for processing (3)

• src/Options/Definitions.js (1 hunks)
• src/Options/docs.js (1 hunks)
• src/Options/index.js (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

src/Options/Definitions.js (1)

resources/buildConfigDefinitions.js (1)

• parsers (12-12)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)

• GitHub Check: PostgreSQL 18, PostGIS 3.6
• GitHub Check: PostgreSQL 15, PostGIS 3.4
• GitHub Check: PostgreSQL 17, PostGIS 3.5
• GitHub Check: PostgreSQL 16, PostGIS 3.5
• GitHub Check: PostgreSQL 15, PostGIS 3.3
• GitHub Check: Docker Build
• GitHub Check: PostgreSQL 15, PostGIS 3.5
• GitHub Check: Node 20
• GitHub Check: MongoDB 6, ReplicaSet
• GitHub Check: Node 18
• GitHub Check: MongoDB 8, ReplicaSet
• GitHub Check: Redis Cache
• GitHub Check: MongoDB 7, ReplicaSet

🔇 Additional comments (3)

src/Options/Definitions.js (1)

1080-1082: LGTM! Regex correctly expands HTML extension blocking for security.

The updated regex pattern ^(?![xXsS]?[hH][tT][mM][lL]?$) correctly blocks all MIME types mapped to text/html (htm, html, shtml, xhtml) in a case-insensitive manner. The optional [xXsS]? prefix appropriately catches the shtml and xhtml variants that were previously allowed. The documentation accurately describes the security rationale and the new default behavior.

src/Options/index.js (1)

597-598: LGTM! Documentation accurately reflects the expanded security default.

The updated JSDoc comment and default tag are consistent with the changes in Definitions.js. The documentation clearly explains the security rationale and specifies which MIME types are now blocked by default.

src/Options/docs.js (1)

238-238: LGTM! Documentation is consistent across all files.

The JSDoc comment accurately reflects the new default regex pattern and is consistent with the changes in index.js and Definitions.js.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.99%. Comparing base (e9fc20d) to head (4f910fd).
⚠️ Report is 9 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha    #9902   +/-   ##
=======================================
  Coverage   92.99%   92.99%           
=======================================
  Files         187      187           
  Lines       15177    15177           
  Branches      177      177           
=======================================
  Hits        14114    14114           
  Misses       1051     1051           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 8.3.1-alpha.1

[parseplatformorg]

🎉 This change has been released in version 8.4.0