Skip to content

fix: Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF) #9903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 16 commits into from
Nov 5, 2025
Merged

fix: Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF) #9903

merged 16 commits into from
Nov 5, 2025
+74 −28

Conversation

@mtrezza
Copy link
Member

@mtrezza mtrezza commented Nov 5, 2025
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Bug Fixes

    • URI-backed file uploads are disabled; files referenced by URIs no longer auto-download or embed data during creation.

  • Tests

    • Added tests that simulate URI sources and verify no external requests occur and upload outcomes behave as expected.

@parse-github-assistant
Copy link

parse-github-assistant bot commented Nov 5, 2025
edited
Loading

🚀 Thanks for opening this pull request!

@coderabbitai
Copy link

coderabbitai bot commented Nov 5, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Removed automatic URI-based file downloading from the FilesRouter and added tests that spin up a local server to ensure no HTTP requests are made for URI-backed file sources during creation or in beforeSave triggers.

Changes

Cohort / File(s) Summary
Tests: URI-backed uploads
spec/ParseFile.spec.js		 Adds tests that start a local Express server to simulate URI sources and assert that uploading a File with a uri source or creating a File in a beforeSave trigger does not perform HTTP requests to the URI and behaves as expected.
Files router: remove URI download
src/Routers/FilesRouter.js		 Removes HTTP dependency and helpers downloadFileFromURI() and addFileDataIfNeeded(), and deletes invocations that auto-download/embed _data for files with uri sources; file creation flow no longer fetches or attaches data from URIs.

Sequence Diagram(s)

mermaid
sequenceDiagram
autonumber
participant Client
participant FilesRouter
participant LocalServer
note right of FilesRouter #e6f7ff: Previous flow (before change)
Client->>FilesRouter: Create file with uri field
FilesRouter->>LocalServer: HTTP GET (downloadFileFromURI)
LocalServer-->>FilesRouter: 200 + file bytes
FilesRouter->>FilesRouter: embed _data and create file
note right of FilesRouter #fff7e6: New flow (after change)
Client->>FilesRouter: Create file with uri field
FilesRouter-->>Client: Proceed without fetching URI (no HTTP requests)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

  • Review src/Routers/FilesRouter.js to ensure all URI-download code paths and helper functions were fully removed and no dead references remain.
  • Validate spec/ParseFile.spec.js covers direct creation and beforeSave scenarios and that the test server assertions correctly detect absence of outbound requests.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description check ⚠️ Warning No pull request description was provided by the author, leaving required sections like Issue, Approach, and Tasks completely unfilled. Provide a complete PR description following the template: include the issue link, describe the approach (SSRF prevention), and check relevant tasks.
✅ Passed checks (1 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main security fix: preventing SSRF vulnerabilities from URI-backed file uploads, which aligns with the removal of URI download functionality and the addition of security tests.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@parseplatformorg
Copy link
Contributor

parseplatformorg commented Nov 5, 2025
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

coderabbitai[bot]
coderabbitai bot requested changes Nov 5, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52bfb18 and 49b88d0.

📒 Files selected for processing (2)
  • spec/ParseFile.spec.js (1 hunks)
  • src/Routers/FilesRouter.js (0 hunks)
💤 Files with no reviewable changes (1)
  • src/Routers/FilesRouter.js
🧰 Additional context used
🧠 Learnings (5)
📚 Learning: 2025-05-09T09:59:06.289Z 
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: Tests in the parse-server repository should use promise-based approaches rather than callback patterns with `done()`. Use a pattern where a Promise is created that resolves when the event occurs, then await that promise.

Applied to files:

  • spec/ParseFile.spec.js
📚 Learning: 2025-05-09T09:59:06.289Z 
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1340-1375
Timestamp: 2025-05-09T09:59:06.289Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`. The preferred pattern is to create a Promise that resolves when an expected event occurs, then await that Promise.

Applied to files:

  • spec/ParseFile.spec.js
📚 Learning: 2025-10-16T19:27:05.311Z 
Learnt from: Moumouls
Repo: parse-community/parse-server PR: 9883
File: spec/CloudCodeLogger.spec.js:410-412
Timestamp: 2025-10-16T19:27:05.311Z
Learning: In spec/CloudCodeLogger.spec.js, the test "should log cloud function triggers using the silent log level" (around lines 383-420) is known to be flaky and requires the extra `await new Promise(resolve => setTimeout(resolve, 100))` timeout after awaiting `afterSavePromise` for reliability, even though it may appear redundant.

Applied to files:

  • spec/ParseFile.spec.js
📚 Learning: 2025-05-04T20:41:05.147Z 
Learnt from: mtrezza
Repo: parse-community/parse-server PR: 9445
File: spec/ParseLiveQuery.spec.js:1312-1338
Timestamp: 2025-05-04T20:41:05.147Z
Learning: New tests in the parse-server repository should use async/await with promise-based patterns rather than callback patterns with `done()`.

Applied to files:

  • spec/ParseFile.spec.js
📚 Learning: 2025-04-30T19:31:35.344Z 
Learnt from: RahulLanjewar93
Repo: parse-community/parse-server PR: 9744
File: spec/ParseLiveQuery.spec.js:0-0
Timestamp: 2025-04-30T19:31:35.344Z
Learning: In the Parse Server codebase, the functions in QueryTools.js are typically tested through end-to-end behavior tests rather than direct unit tests, even though the functions are exported from the module.

Applied to files:

  • spec/ParseFile.spec.js
🔇 Additional comments (2)
spec/ParseFile.spec.js (2)

657-678: LGTM! Proper test server setup for SSRF verification.

The Express server setup correctly uses dynamic port assignment and tracks HTTP requests to verify that URI sources are not accessed. The cleanup in afterEach properly closes the server.

680-703: LGTM! Correct verification of SSRF prevention for REST file uploads.

The test correctly verifies that a file with a URI source can be saved to an object (status 201) but the server never accesses the URI, preventing SSRF attacks.

@codecov
Copy link

codecov bot commented Nov 5, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.06%. Comparing base (25dfe19) to head (9fb91f0).
⚠️ Report is 6 commits behind head on alpha.

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha    #9903      +/-   ##
==========================================
+ Coverage   92.97%   93.06%   +0.08%     
==========================================
  Files         187      187              
  Lines       15177    15160      -17     
  Branches      177      177              
==========================================
- Hits        14111    14108       -3     
+ Misses       1054     1040      -14     
  Partials       12       12

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza changed the title fix alpha fix: Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF); fixes vulnerability [GHSA-x4qj-2f4q-r4rx](https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx) Nov 5, 2025
@mtrezza mtrezza changed the title fix: Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF); fixes vulnerability [GHSA-x4qj-2f4q-r4rx](https://github.com/parse-community/parse-server/security/advisories/GHSA-x4qj-2f4q-r4rx) fix: Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF) Nov 5, 2025
@mtrezza mtrezza merged commit 9776386 into parse-community:alpha Nov 5, 2025
25 of 27 checks passed
parseplatformorg pushed a commit that referenced this pull request Nov 5, 2025
@semantic-release-bot
chore(release): 8.4.0-alpha.2 [skip ci]
c70d543 
# [8.4.0-alpha.2](8.4.0-alpha.1...8.4.0-alpha.2) (2025-11-05)

### Bug Fixes

* Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF); fixes vulnerability [GHSA-x4qj-2f4q-r4rx](GHSA-x4qj-2f4q-r4rx) ([#9903](#9903)) ([9776386](9776386))
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Nov 5, 2025

🎉 This change has been released in version 8.4.0-alpha.2

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Nov 5, 2025
parseplatformorg pushed a commit that referenced this pull request Nov 5, 2025
@semantic-release-bot
chore(release): 8.4.0 [skip ci]
f27b050 
# [8.4.0](8.3.0...8.4.0) (2025-11-05)

### Bug Fixes

* Add problematic MIME types to default value of Parse Server option `fileUpload.fileExtensions` ([#9902](#9902)) ([fa245cb](fa245cb))
* Uploading a file by providing an origin URL allows for Server-Side Request Forgery (SSRF); fixes vulnerability [GHSA-x4qj-2f4q-r4rx](GHSA-x4qj-2f4q-r4rx) ([#9903](#9903)) ([9776386](9776386))

### Features

* Add support for Node 24 ([#9901](#9901)) ([25dfe19](25dfe19))
@parseplatformorg
Copy link
Contributor

parseplatformorg commented Nov 5, 2025

🎉 This change has been released in version 8.4.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Nov 5, 2025
@mtrezza mtrezza deleted the fix/ssrf branch November 5, 2025 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

state:released Released as stable version state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg