Skip to content

Commit

Permalink
fix: Server crash when uploading file without extension; fixes securi…
Browse files Browse the repository at this point in the history
  • Loading branch information
mtrezza authored Oct 20, 2023
1 parent 0bb63d8 commit 686a9f2
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 2 deletions.
28 changes: 28 additions & 0 deletions spec/ParseFile.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -1366,6 +1366,34 @@ describe('Parse.File testing', () => {
);
});

it('allows file without extension', async () => {
await reconfigureServer({
fileUpload: {
enableForPublic: true,
fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'],
},
});
const headers = {
'X-Parse-Application-Id': 'test',
'X-Parse-REST-API-Key': 'rest',
};

const values = ['filenamewithoutextension'];

for (const value of values) {
await expectAsync(
request({
method: 'POST',
headers: headers,
url: `http://localhost:8378/1/files/${value}`,
body: '<html></html>\n',
}).catch(e => {
throw new Error(e.data.error);
})
).toBeResolved();
}
});

it('works with array', async () => {
await reconfigureServer({
fileUpload: {
Expand Down
4 changes: 2 additions & 2 deletions src/Routers/FilesRouter.js
Original file line number Diff line number Diff line change
Expand Up @@ -157,9 +157,9 @@ export class FilesRouter {
} else if (contentType && contentType.includes('/')) {
extension = contentType.split('/')[1];
}
extension = extension.split(' ').join('');
extension = extension?.split(' ')?.join('');

if (!isValidExtension(extension)) {
if (extension && !isValidExtension(extension)) {
next(
new Parse.Error(
Parse.Error.FILE_SAVE_ERROR,
Expand Down

0 comments on commit 686a9f2

Please sign in to comment.