joe/kami-parse-server
Public Access
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: server crashes when receiving file download request with invalid byte range; this fixes a security vulnerability that allows an attacker to impact the availability of the server instance; the fix improves parsing of the range parameter to properly handle invalid range requests ([GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)) [skip release] (#8237)

Browse Source
This commit is contained in:
Manuel
2022-10-15 00:54:08 +02:00
committed by GitHub
parent 1a2b1b9bc1
commit 4c1befabf2
3 changed files with 228 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Routers/FilesRouter.js
View File

@@ -266,5 +266,10 @@ export class FilesRouter {
}
function isFileStreamable(req, filesController) {
return req.get('Range') && typeof filesController.adapter.handleFileStream === 'function';
const range = (req.get('Range') || '/-/').split('-');
const start = Number(range[0]);
const end = Number(range[1]);
return (
(!isNaN(start) || !isNaN(end)) && typeof filesController.adapter.handleFileStream === 'function'
);
}