🛡️ Sentinel: [CRITICAL/HIGH] Fix File Upload Extension Validation#144
🛡️ Sentinel: [CRITICAL/HIGH] Fix File Upload Extension Validation#144xb1g wants to merge 1 commit into
Conversation
Adds dangerous scripts (.php, .sh, .py, etc) and web content (.html, .svg, etc) to DANGEROUS_EXTENSIONS array. Co-authored-by: xb1g <70068561+xb1g@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
xb1g
force-pushed
the
sentinel/fix-dangerous-extensions-12299279236695494635
branch
from
7d0772e to
5f99320
Compare
|
Unable to deploy a commit from a private repository on your GitHub organization to the wachaa1319's projects team on Vercel, which is currently on the Hobby plan. In order to deploy, you can:
To read more about collaboration on Vercel, click here. |
There was a problem hiding this comment.
Pull request overview
This PR hardens the shared upload validation rules by expanding the blocked (“dangerous”) file extension list, aiming to prevent uploads of script and web-content files that could be abused when served back from storage.
Changes:
- Expanded
DANGEROUS_EXTENSIONSto include common script and web-content extensions (.php,.sh,.py,.pl,.cgi,.html,.htm,.svg,.xml). - Minor formatting/consistency updates to MIME type sets and function signatures in the shared upload validation module.
| export function validateFileName(fileName: string): { | ||
| valid: boolean; | ||
| error?: string; | ||
| } { | ||
| if (!fileName || fileName.trim().length === 0) { |
xb1g
force-pushed
the
sentinel/fix-dangerous-extensions-12299279236695494635
branch
2 times, most recently
from
e31af30 to
cac1944
Compare
Deploying with
|
| Status | Name | Latest Commit | Updated (UTC) |
|---|---|---|---|
| ❌ Deployment failed View logs |
web | cac1944 | May 11 2026, 06:24 PM |
🚨 Severity: HIGH
💡 Vulnerability: The
DANGEROUS_EXTENSIONSconfiguration inlib/constants/upload.tsdid not block potentially malicious executable scripts (like.php,.sh,.py,.cgi) or web content (like.html,.htm,.svg,.xml). Since Backblaze B2 endpoints generate URLs that might serve these files with their client-provided MIME type or extension, this allowed attackers to bypass intended restrictions and potentially upload files capable of triggering Cross-Site Scripting (XSS), Server-Side Request Forgery (SSRF), or other remote execution depending on the storage server configuration.🎯 Impact: Malicious users could upload script files that, when accessed, execute in the context of the user's browser (XSS) or the server environment if improperly configured.
🔧 Fix: Expanded the
DANGEROUS_EXTENSIONSarray to include.php,.sh,.py,.pl,.cgi,.html,.htm,.svg, and.xml, effectively blocking their upload globally across all features utilizing the standard upload validations.✅ Verification: Run
pnpm testto ensure existing file validation logic correctly processes the updated array and existing tests pass. Evaluated the codebase to confirmDANGEROUS_EXTENSIONSis used effectively in the unifiedvalidateFileNameutility.PR created automatically by Jules for task 12299279236695494635 started by @xb1g