Skip to content

fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)#10383

Merged
mtrezza merged 1 commit intoparse-community:alphafrom
mtrezza:fix/GHSA-vr5f-2r24-w5hc-v9
Apr 2, 2026
Merged

fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)#10383
mtrezza merged 1 commit intoparse-community:alphafrom
mtrezza:fix/GHSA-vr5f-2r24-w5hc-v9

Conversation

@mtrezza
Copy link
Copy Markdown
Member

@mtrezza mtrezza commented Apr 2, 2026
edited
Loading

Issue

File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)

Tasks

  • Add tests
  • Add changes

@mtrezza
fix: Override file Content-Type with extension-derived MIME type on u…
9e1f1a0 
…pload

When both a filename extension and Content-Type header are present during
file upload, the Content-Type is now derived from the extension instead of
passing the raw user-provided Content-Type to the storage adapter.
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant bot commented Apr 2, 2026
edited
Loading

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

  • Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
  • Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
  • Group code into logical blocks. Add a short comment before each block to explain its purpose.
  • We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
  • Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
  • Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Apr 2, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Adds a test suite for a stored XSS vulnerability (GHSA-vr5f-2r24-w5hc) that validates file upload handling when Content-Type headers mismatch filename extensions, and updates MIME type resolution logic to always prioritize file extension-derived MIME types while preserving explicitly provided Content-Type values as fallback.

Changes

Cohort / File(s) Summary
Vulnerability Test Suite
spec/vulnerabilities.spec.js		 Adds comprehensive test cases for stored XSS vulnerability (GHSA-vr5f-2r24-w5hc) verifying Content-Type handling during file uploads: validates forced conversion to text/plain when mismatched with .txt files, preserves Content-Type for extensionless filenames, and infers MIME type from file extensions when Content-Type is omitted.
MIME Type Resolution Logic
src/Controllers/FilesController.js		 Updates createFile method to change MIME type resolution: when filename has an extension, always set contentType to the extension-derived MIME type with explicit Content-Type as fallback (mime.getType(filename) || contentType), ensuring extension-based MIME detection takes precedence over provided Content-Type headers.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name Status Explanation Resolution
Description check ⚠️ Warning No pull request description was provided; the template requires Issue, Approach, and Tasks sections to be completed. Add a description following the template, including: Issue (link/describe the security vulnerability), Approach (explain the fix), and Tasks (check applicable items like tests added).
Engage In Review Feedback ❓ Inconclusive Review feedback verification requires access to GitHub PR review interface, which is external to repository codebase and cannot be assessed through git history or code inspection alone. Access GitHub pull request #10383 directly to examine review comments, user responses, and whether feedback was implemented or discussed with reviewers.
✅ Passed checks (3 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Security Check ✅ Passed Security fix properly addresses GHSA-vr5f-2r24-w5hc by deriving MIME types from file extensions using the standard mime library, with comprehensive test coverage and no identified bypass vectors.
Title check ✅ Passed The PR title begins with the required 'fix:' prefix and clearly describes the security fix for the Content-Type override vulnerability.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link
Copy Markdown

codecov bot commented Apr 2, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.12%. Comparing base (ead12bd) to head (9e1f1a0).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files 
@@            Coverage Diff             @@
##            alpha   #10383      +/-   ##
==========================================
- Coverage   92.52%   92.12%   -0.41%     
==========================================
  Files         192      192              
  Lines       16568    16568              
  Branches      231      231              
==========================================
- Hits        15330    15263      -67     
- Misses       1216     1279      +63     
- Partials       22       26       +4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mtrezza mtrezza changed the title fix: GHSA-vr5f-2r24-w5hc v9 fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) Apr 2, 2026
@mtrezza mtrezza merged commit dd7cc41 into parse-community:alpha Apr 2, 2026
23 of 24 checks passed
parseplatformorg pushed a commit that referenced this pull request Apr 2, 2026
@semantic-release-bot
chore(release): 9.7.1-alpha.4 [skip ci]
73dde76 
## [9.7.1-alpha.4](9.7.1-alpha.3...9.7.1-alpha.4) (2026-04-02)

### Bug Fixes

* File upload Content-Type override via extension mismatch ([GHSA-vr5f-2r24-w5hc](GHSA-vr5f-2r24-w5hc)) ([#10383](#10383)) ([dd7cc41](dd7cc41))
@parseplatformorg
Copy link
Copy Markdown
Contributor

parseplatformorg commented Apr 2, 2026

🎉 This change has been released in version 9.7.1-alpha.4

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Apr 2, 2026
@mtrezza mtrezza deleted the fix/GHSA-vr5f-2r24-w5hc-v9 branch April 2, 2026 01:23
@github-actions github-actions bot mentioned this pull request Apr 2, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mtrezza @parseplatformorg