Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-27 10:24:07 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Security Fix JVN#74210258: Stored XSS.

Browse source 
Thanks to Ryoya Koyama of Mitsui Bussan Secure Directions, Inc and xet7 !
This commit is contained in:
Lauri Ojansivu 2025-10-10 23:06:06 +03:00
parent 2e91a359f5
commit e1fa607f87
4 changed files with 60 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

15
models/avatars.js
View file

@ -85,6 +85,21 @@ Avatars = new FilesCollection({
return ret;
},
onBeforeUpload(file) {
// Block SVG files for avatars to prevent XSS attacks
if (file.name && file.name.toLowerCase().endsWith('.svg')) {
if (process.env.DEBUG === 'true') {
console.warn('Blocked SVG file upload for avatar:', file.name);
}
return 'SVG files are not allowed for avatars due to security reasons. Please use PNG, JPG, or GIF format.';
}
if (file.type === 'image/svg+xml') {
if (process.env.DEBUG === 'true') {
console.warn('Blocked SVG MIME type upload for avatar:', file.type);
}
return 'SVG files are not allowed for avatars due to security reasons. Please use PNG, JPG, or GIF format.';
}
if (file.size <= avatarsUploadSize && file.type.startsWith('image/')) {
return true;
}