Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: XSS vulnerability due to polyglot file type upload #7149

Merged
merged 1 commit into from
Jan 3, 2025
Merged

fix: XSS vulnerability due to polyglot file type upload #7149

merged 1 commit into from
Jan 3, 2025
+78 −4

Conversation

guqing
Copy link
Member

@guqing guqing commented Dec 18, 2024
edited
Loading

What type of PR is this?

/kind bug
/area core
/milestone 2.20.x

What this PR does / why we need it:

修复文件类型限制能通过混合文件类型绕过检测的问题

参考:https://github.com/halo-dev/halo/security/advisories/GHSA-99mc-ch53-pqh9

Does this PR introduce a user-facing change?

修复文件类型限制能通过混合文件类型绕过检测的问题

@f2c-ci-robot f2c-ci-robot bot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/core Issues or PRs related to the Halo Core labels Dec 18, 2024
@f2c-ci-robot f2c-ci-robot bot added this to the 2.20.x milestone Dec 18, 2024
@f2c-ci-robot f2c-ci-robot bot requested review from JohnNiang and LIlGG December 18, 2024 03:58
@guqing guqing force-pushed the fix/polyglot-file-xss branch from 9c91fae to ef31255 Compare December 18, 2024 03:58
@guqing guqing marked this pull request as ready for review December 18, 2024 03:59
@f2c-ci-robot f2c-ci-robot bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 18, 2024
@f2c-ci-robot f2c-ci-robot bot requested a review from ruibaby December 18, 2024 03:59
@guqing guqing force-pushed the fix/polyglot-file-xss branch from ef31255 to 2de1568 Compare December 18, 2024 03:59
@codecov Codecov
Copy link

codecov bot commented Dec 18, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 18 lines in your changes missing coverage. Please review.

Project coverage is 57.17%. Comparing base (eff73dc) to head (59b51eb).
Report is 83 commits behind head on main.

Files with missing lines Patch % Lines
.../run/halo/app/infra/utils/FileTypeDetectUtils.java 0.00% 12 Missing ⚠️
...achment/endpoint/LocalAttachmentUploadHandler.java 0.00% 6 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #7149      +/-   ##
============================================
+ Coverage     56.99%   57.17%   +0.17%     
- Complexity     3999     4047      +48     
============================================
  Files           714      719       +5     
  Lines         24110    24369     +259     
  Branches       1585     1600      +15     
============================================
+ Hits          13742    13932     +190     
- Misses         9756     9820      +64     
- Partials        612      617       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@guqing guqing force-pushed the fix/polyglot-file-xss branch from 2de1568 to 59b51eb Compare December 18, 2024 07:43
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@JohnNiang
Copy link
Member

/ping @halo-dev/sig-halo

ruibaby
ruibaby approved these changes Jan 3, 2025
View reviewed changes
Copy link
Member

@ruibaby ruibaby left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@f2c-ci-robot f2c-ci-robot bot added the lgtm Indicates that a PR is ready to be merged. label Jan 3, 2025
@f2c-ci-robot f2c-ci-robot
Copy link

f2c-ci-robot bot commented Jan 3, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ruibaby

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@f2c-ci-robot f2c-ci-robot bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 3, 2025
@f2c-ci-robot f2c-ci-robot bot merged commit 24f8d7b into halo-dev:main Jan 3, 2025
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ruibaby ruibaby ruibaby approved these changes

@JohnNiang JohnNiang Awaiting requested review from JohnNiang

@LIlGG LIlGG Awaiting requested review from LIlGG

Assignees

@ruibaby ruibaby

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/core Issues or PRs related to the Halo Core kind/bug Categorizes issue or PR as related to a bug. lgtm Indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
2.20.x
Development

Successfully merging this pull request may close these issues.
3 participants
@guqing @JohnNiang @ruibaby