Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-16 23:40:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Security Fix JVN#74210258: Stored XSS.

Browse source 
Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7 !
This commit is contained in:
Lauri Ojansivu 2025-10-10 23:06:06 +03:00
parent 2e91a359f5
commit e1fa607f87
4 changed files with 60 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

18
models/attachments.js
View file

@ -91,6 +91,24 @@ Attachments = new FilesCollection({
const ret = fileStoreStrategyFactory.storagePath;
return ret;
},
onBeforeUpload(file) {
// Block SVG files for attachments to prevent XSS attacks
if (file.name && file.name.toLowerCase().endsWith('.svg')) {
if (process.env.DEBUG === 'true') {
console.warn('Blocked SVG file upload for attachment:', file.name);
}
return 'SVG files are not allowed for attachments due to security reasons. Please use PNG, JPG, GIF, or other safe formats.';
}
if (file.type === 'image/svg+xml') {
if (process.env.DEBUG === 'true') {
console.warn('Blocked SVG MIME type upload for attachment:', file.type);
}
return 'SVG files are not allowed for attachments due to security reasons. Please use PNG, JPG, GIF, or other safe formats.';
}
return true;
},
onAfterUpload(fileObj) {
// current storage is the filesystem, update object and database
Object.keys(fileObj.versions).forEach(versionName => {