fix: Stored cross-site scripting (XSS) via SVG file upload (GHSA-hcj7-6gxh-24ww)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Stored cross-site scripting (XSS) via SVG file upload (GHSA-hcj7-6gxh-24ww)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

Summary by CodeRabbit

• Bug Fixes

  • SVG file uploads are now blocked by default alongside HTML files.

• Documentation

  • File extension configuration and docs updated to reflect blocking of HTML and SVG formats.

• New Features

  • Added a new option to control whether anonymous users can upload files.

• Tests

  • Added tests validating SVG upload blocking.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates block SVG uploads alongside HTML: tests added to assert SVG blocking, default fileExtensions regex and docs updated to exclude SVG, and FileUploadOptions gained a new public field enableForAnonymousUser to control anonymous uploads. (49 words)

Changes

Cohort / File(s)	Summary
Test Coverage spec/ParseFile.spec.js	Added tests verifying SVG uploads are blocked by default for extensions (svg, SVG, Svg) and for SVG content-type without extension, asserting FILE_SAVE_ERROR responses.
Configuration & Documentation src/Options/Definitions.js, src/Options/docs.js, src/Options/index.js	Default fileExtensions regex widened to exclude HTML and SVG (grouped negative lookahead); help text and docs updated to mention SVG alongside HTML.
Public API src/Options/index.js	Introduced new public field enableForAnonymousUser: ?boolean on FileUploadOptions (controls anonymous file upload behavior).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• fix: Add problematic MIME types to default value of Parse Server option fileUpload.fileExtensions #9902: Modifies the same fileUpload.fileExtensions default regex and related documentation to block HTML/SVG extensions.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing the 'Approach' section that should describe the changes made. While 'Issue' is filled with a security advisory reference and tasks are mostly checked, the core technical details about the implementation are absent.	Add a detailed 'Approach' section explaining: (1) how SVG uploads are now blocked, (2) the regex pattern changes in fileExtensions, (3) the new enableForAnonymousUser field, and (4) test coverage details.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title clearly and specifically describes the security fix being implemented: blocking SVG file uploads to prevent stored XSS attacks, with reference to the security advisory GHSA-hcj7-6gxh-24ww.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Options/index.js`:
- Around line 651-652: The default allowed-extensions pattern in Options (in
src/Options/index.js) currently blocks ".svg" but not MIME subtype "svg+xml", so
update the DEFAULT pattern (the array with
"^(?!([xXsS]?[hH][tT][mM][lL]?|[sS][vV][gG])$)") to also reject "svg+xml" (e.g.
include svg(?:\\+xml)? in the negative lookahead) so FilesRouter fallback using
contentType.split('/')[1] cannot bypass the rule; after changing the pattern in
the Options default, run "npm run definitions" to regenerate
src/Options/Definitions.js and src/Options/docs.js.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 42df357d-fb50-4047-a082-3cd7b4aeb27f

📥 Commits

Reviewing files that changed from the base of the PR and between 0538835 and 8153de7.

📒 Files selected for processing (4)

• spec/ParseFile.spec.js
• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.71%. Comparing base (98188d9) to head (77c5ac0).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10136   +/-   ##
=======================================
  Coverage   92.71%   92.71%           
=======================================
  Files         192      192           
  Lines       16062    16062           
  Branches      183      183           
=======================================
  Hits        14892    14892           
  Misses       1158     1158           
  Partials       12       12           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[parseplatformorg]

🎉 This change has been released in version 9.5.2-alpha.4