Skip to content

fix: Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r)#10521

Merged
mtrezza merged 3 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-r899-h629-j84r-v9
Jun 25, 2026
Merged

fix: Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r)#10521
mtrezza merged 3 commits into
parse-community:alphafrom
mtrezza:fix/GHSA-r899-h629-j84r-v9

Conversation

@mtrezza

@mtrezza mtrezza commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown
Member

Issue

Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r)

Tasks

  • Add tests

@parse-github-assistant

parse-github-assistant Bot commented Jun 22, 2026

Copy link
Copy Markdown

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

@coderabbitai

coderabbitai Bot commented Jun 22, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

FilesRouter.createHandler now strictly parses Content-Type for uploads with unrecognized filename extensions and rejects malformed values with "Invalid Content-Type.". The specs add coverage for malformed, wildcard-bypassed, and vendor media type cases, and one purchase validation fixture now uses text/plain.

Changes

Strict Content-Type Validation in File Upload

Layer / File(s) Summary
Stricter Content-Type parsing in createHandler
src/Routers/FilesRouter.js		 isExtensionRecognized is computed earlier; the contentTypeExtension fallback is replaced with explicit type/subtype splitting. Malformed Content-Type values now produce FILE_SAVE_ERROR with "Invalid Content-Type.".
Test coverage for malformed and valid Content-Type cases
spec/ParseFile.spec.js		 New tests assert that malformed Content-Type values are rejected, that the rejection applies to files without extensions, that fileExtensions: ['*'] bypasses the check, and that a valid vendor media type is accepted.
Fixture update for proper Content-Type format
spec/PurchaseValidation.spec.js		 The createProduct() test fixture updates Parse.File contentType from 'text' to 'text/plain'.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Description check ⚠️ Warning No pull request description was provided, so the required Issue, Approach, and Tasks sections are missing. Add the PR template sections for Issue, Approach, and Tasks, and briefly summarize the security fix and completed checklist items.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (5 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Security Check ✅ Passed Upload validation now rejects malformed or blocked Content-Type values before file creation, and no new insecure patterns were found.
Engage In Review Feedback ✅ Passed CodeRabbit review feedback was addressed by later commits, and the PR shows the stale review was dismissed after those changes; no ignored feedback is evident.
Title check ✅ Passed The title has the required fix: prefix and accurately summarizes the malformed Content-Type file upload blocklist fix.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 22, 2026
View reviewed changes
coderabbitai[bot]
coderabbitai Bot previously approved these changes Jun 23, 2026
View reviewed changes
@codecov

codecov Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.66%. Comparing base (4d3465c) to head (a221f9f).

Additional details and impacted files 
@@           Coverage Diff           @@
##            alpha   #10521   +/-   ##
=======================================
  Coverage   92.66%   92.66%           
=======================================
  Files         193      193           
  Lines       16971    16981   +10     
  Branches      248      248           
=======================================
+ Hits        15726    15736   +10     
  Misses       1224     1224           
  Partials       21       21

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza changed the title fix: GHSA-r899-h629-j84r fix: Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r) Jun 25, 2026
@mtrezza mtrezza merged commit cce91e5 into parse-community:alpha Jun 25, 2026
40 of 41 checks passed
parseplatformorg pushed a commit that referenced this pull request Jun 25, 2026
@semantic-release-bot
chore(release): 9.10.0-alpha.2 [skip ci]
7e9d53a 
# [9.10.0-alpha.2](9.10.0-alpha.1...9.10.0-alpha.2) (2026-06-25)

### Bug Fixes

* Stored XSS via malformed Content-Type bypassing file upload extension blocklist ([GHSA-r899-h629-j84r](GHSA-r899-h629-j84r)) ([#10521](#10521)) ([cce91e5](cce91e5))
@parseplatformorg

parseplatformorg commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

🎉 This change has been released in version 9.10.0-alpha.2

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Jun 25, 2026
@mtrezza mtrezza deleted the fix/GHSA-r899-h629-j84r-v9 branch June 25, 2026 10:20
@github-actions github-actions Bot mentioned this pull request Jun 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg