fix: Stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries (GHSA-42ph-pf9q-cr72)

[mtrezza]

Pull Request

• Report security issues confidentially.
• Any contribution is under this license.

Issue

Stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries (GHSA-42ph-pf9q-cr72)

Tasks

• Add tests
• Add changes to documentation (guides, repository pages, code comments)
• Add security check
• Add new Parse Error codes to Parse JS SDK

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

[parseplatformorg]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[coderabbitai]

📝 Walkthrough

Walkthrough

Expanded upload-blocklist to include additional XML-related extensions, added three FileUploadOptions boolean flags controlling upload access, improved Content-Type parsing to strip MIME parameters when deriving extensions, and added (duplicate) tests asserting blocking of XML-related uploads including parameterized Content-Types.

Changes

Cohort / File(s)	Summary
Tests spec/vulnerabilities.spec.js	Added a test suite "(GHSA-42ph-pf9q-cr72) Stored XSS filter bypass via parameterized Content-Type and additional XML extensions" validating blocking of XML-related extensions (xsd, rng, rdf, owl, mathml) across case variants and parameterized Content-Types. The suite appears duplicated in the diff.
Options: definitions & docs src/Options/Definitions.js, src/Options/docs.js	Rewrote help text to recommend an allowlist approach and expanded the default negative-lookahead regex to block more HTML/SVG/XML-related extensions (including added XML extensions). Documentation updated to reflect the allowlist guidance.
Options: public API src/Options/index.js	Added three optional boolean public fields to FileUploadOptions: enableForAnonymousUser, enableForAuthenticatedUser, and enableForPublic.
Files router src/Routers/FilesRouter.js	Changed extraction of extension from Content-Type to strip MIME parameters and whitespace by splitting on ; and trimming, ensuring parameterized Content-Type values are parsed before validation.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• fix: Add problematic MIME types to default value of Parse Server option fileUpload.fileExtensions #9902: Modifies the default FileUploadOptions.fileExtensions regex and blocked-extension list.
• fix: Stored XSS via file upload of HTML-renderable file types (GHSA-v5hf-f4c3-m5rv) #10162: Overlaps on tests and expansion of fileExtensions to include XML-like extensions.
• fix: Stored cross-site scripting (XSS) via SVG file upload (GHSA-hcj7-6gxh-24ww) #10136: Related changes to file upload blocking behavior and blocked extension set.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is entirely missing, failing to provide any context about the issue, approach, or completion of required tasks per the repository template.	Add a comprehensive PR description following the template: include the issue/vulnerability reference, describe the changes made (test additions, extension blocking, parameter stripping), and check off completed tasks.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title accurately describes the main security fix: addressing a Stored XSS filter bypass by patching Content-Type MIME parameter handling and adding missing XML extension blocklist entries (GHSA-42ph-pf9q-cr72).

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.61%. Comparing base (3ffba75) to head (ab01502).
⚠️ Report is 3 commits behind head on alpha.

Additional details and impacted files

@@           Coverage Diff           @@
##            alpha   #10191   +/-   ##
=======================================
  Coverage   92.61%   92.61%           
=======================================
  Files         192      192           
  Lines       16255    16255           
  Branches      190      190           
=======================================
  Hits        15055    15055           
  Misses       1187     1187           
  Partials       13       13           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

src/Options/index.js (1)

660-661: Make the allowlist example regex-safe.

The matcher still does new RegExp(ext) for each entry, so ["jpg", "jpeg"] is substring matching rather than exact extension matching, and metacharacters like + need escaping. Consider documenting anchored patterns here (for example ["^jpg$", "^jpeg$", "^png$", "^gif$", "^webp$"]) or explicitly stating that entries are regexes.

Based on learnings: make changes in src/Options/index.js first, then run npm run definitions to sync src/Options/Definitions.js and src/Options/docs.js.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/Options/index.js` around lines 660 - 661, Update the Options docs to make
the allowlist example regex-safe by either documenting that entries are treated
as regular expressions (so users must escape metacharacters) or replacing the
plain examples with anchored regex strings (e.g., "^jpg$", "^jpeg$", "^png$",
"^gif$", "^webp$") in src/Options/index.js (the DEFAULT comment/description for
the allowed file extensions), then run `npm run definitions` to regenerate
src/Options/Definitions.js and src/Options/docs.js so the changes propagate.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@src/Routers/FilesRouter.js`:
- Around line 371-372: The MIME-parameter stripping only removes literal spaces
causing tab or other whitespace to persist; in FilesRouter.js update the
normalization of the extension variable (where extension is set and currently
uses split(' ')...join('')) to remove all whitespace characters (e.g. use a
regex-based replace like replacing /\s+/g) so values like
"application/xhtml+xml\t;charset=utf-8" normalize correctly, and add a
regression test that passes a MIME string with a tab-separated parameter (e.g.
containing "\t") to the handler that checks the denylist matching behavior.

---

Nitpick comments:
In `@src/Options/index.js`:
- Around line 660-661: Update the Options docs to make the allowlist example
regex-safe by either documenting that entries are treated as regular expressions
(so users must escape metacharacters) or replacing the plain examples with
anchored regex strings (e.g., "^jpg$", "^jpeg$", "^png$", "^gif$", "^webp$") in
src/Options/index.js (the DEFAULT comment/description for the allowed file
extensions), then run `npm run definitions` to regenerate
src/Options/Definitions.js and src/Options/docs.js so the changes propagate.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 890ed83b-99a4-4f8b-b6c9-addaf1447b8e

📥 Commits

Reviewing files that changed from the base of the PR and between 9b44d25 and b4a4cb9.

📒 Files selected for processing (5)

• spec/vulnerabilities.spec.js
• src/Options/Definitions.js
• src/Options/docs.js
• src/Options/index.js
• src/Routers/FilesRouter.js

[parseplatformorg]

🎉 This change has been released in version 9.6.0-alpha.15