fix: Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r)

[mtrezza]

Issue

Stored XSS via malformed Content-Type bypassing file upload extension blocklist (GHSA-r899-h629-j84r)

Tasks

• Add tests

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

📝 Walkthrough

Walkthrough

FilesRouter.createHandler replaces its simple string-split Content-Type fallback with a structured type/subtype parser that rejects malformed values with "Invalid Content-Type.", skips validation when fileExtensions is ['*'], and validates the subtype against the blocklist. New tests cover these rejection and acceptance paths; a test fixture corrects 'text' to 'text/plain'.

Changes

FilesRouter Content-Type Validation Strictness

Layer / File(s)	Summary
FilesRouter Content-Type parsing and rejection logic src/Routers/FilesRouter.js	Replaces the old single-token string-split fallback with a conditional flow: skips when fileExtensions is ['*'], parses Content-Type as type/subtype, rejects malformed values with "Invalid Content-Type.", and validates the subtype against the extension blocklist.
New Content-Type validation tests and fixture fix spec/ParseFile.spec.js, spec/PurchaseValidation.spec.js	Adds five fileExtensions test cases for malformed Content-Type rejection (FILE_SAVE_ERROR / "Invalid Content-Type."), wildcard-allow acceptance, and valid vendor subtype acceptance. Fixes createProduct() fixture from 'text' to 'text/plain'.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• parse-community/parse-server#10489: Modifies the same FilesRouter.createHandler upload validation path for filename extensions and parameterized Content-Type parsing.
• parse-community/parse-server#10505: Modifies FilesRouter.createHandler's extension/Content-Type validation and extends spec/ParseFile.spec.js with fileExtensions-related rejection and acceptance cases.
• parse-community/parse-server#10191: Directly modifies FilesRouter.js createHandler logic for parsing and validating Content-Type, including handling of MIME parameters and malformed type/subtype.

🚥 Pre-merge checks | ✅ 4 | ❌ 3

❌ Failed checks (3 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No PR description was provided, so the required Issue, Approach, and Tasks sections are missing.	Add the repository's PR template sections with the linked issue, change summary, and completed task checklist.
Security Check	⚠️ Warning	FilesRouter still accepts malformed non-empty Content-Type tokens (e.g. image//svg+xml, text/plain,application/json) because it only checks empty type/subtype and lacks token syntax validation.	Validate type and subtype with a strict MIME token/parser before blocklist checks, and reject malformed values with FILE_SAVE_ERROR; add tests for non-empty malformed tokens.
Engage In Review Feedback	⚠️ Warning	FilesRouter still only checks empty type/subtype and blocklist; the reviewed malformed cases (image//svg+xml, text/plain,application/json) aren't implemented or tested.	Add syntax validation for media-type tokens and tests for the exact malformed cases, then get reviewer confirmation before resolving.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title uses the required fix: prefix and accurately describes the file-upload Content-Type vulnerability fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.48%. Comparing base (c9b24ce) to head (fcb126f).
⚠️ Report is 1 commits behind head on release-8.x.x.

Additional details and impacted files

@@                Coverage Diff                @@
##           release-8.x.x   #10523      +/-   ##
=================================================
+ Coverage          92.07%   92.48%   +0.41%     
=================================================
  Files                192      192              
  Lines              16175    16185      +10     
  Branches             234      234              
=================================================
+ Hits               14893    14969      +76     
+ Misses              1258     1196      -62     
+ Partials              24       20       -4     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[mtrezza]

@coderabbitai review

[coderabbitai]

✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/Routers/FilesRouter.js`:
- Around line 227-256: The Content-Type parsing in FilesRouter’s save/validation
flow only rejects empty type/subtype pairs, so malformed tokens like double
slashes or comma-separated values can slip through. Tighten the validation
around the existing slashIndex/type/subtype parsing by rejecting any media-type
that is not a single well-formed token pair before reaching the blocklist check,
and keep using rejectExtension for blocked bare tokens while routing all other
malformed cases to the Invalid Content-Type Parse.Error path.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b1713dc7-ebd3-4b07-9137-60d0c526e374

📥 Commits

Reviewing files that changed from the base of the PR and between 700a867 and 42acfe5.

📒 Files selected for processing (3)

• spec/ParseFile.spec.js
• spec/PurchaseValidation.spec.js
• src/Routers/FilesRouter.js

[parseplatformorg]

🎉 This change has been released in version 8.6.84