Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: XSS vulnerability due to polyglot file type upload #7149

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: XSS vulnerability due to polyglot file type upload #7149

wants to merge 1 commit into from

Conversation

guqing
Copy link
Member

@guqing guqing commented Dec 18, 2024
edited
Loading

What type of PR is this?

/kind bug
/area core
/milestone 2.20.x

What this PR does / why we need it:

修复文件类型限制能通过混合文件类型绕过检测的问题

参考:https://github.com/halo-dev/halo/security/advisories/GHSA-99mc-ch53-pqh9

Does this PR introduce a user-facing change?

修复文件类型限制能通过混合文件类型绕过检测的问题

@f2c-ci-robot f2c-ci-robot bot added kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/core Issues or PRs related to the Halo Core labels Dec 18, 2024
@f2c-ci-robot f2c-ci-robot bot added this to the 2.20.x milestone Dec 18, 2024
@f2c-ci-robot f2c-ci-robot bot requested review from JohnNiang and LIlGG December 18, 2024 03:58
@f2c-ci-robot f2c-ci-robot
Copy link

f2c-ci-robot bot commented Dec 18, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please ask for approval from guqing. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@guqing guqing force-pushed the fix/polyglot-file-xss branch from 9c91fae to ef31255 Compare December 18, 2024 03:58
@guqing guqing marked this pull request as ready for review December 18, 2024 03:59
@f2c-ci-robot f2c-ci-robot bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Dec 18, 2024
@f2c-ci-robot f2c-ci-robot bot requested a review from ruibaby December 18, 2024 03:59
@guqing guqing force-pushed the fix/polyglot-file-xss branch from ef31255 to 2de1568 Compare December 18, 2024 03:59
@codecov Codecov
Copy link

codecov bot commented Dec 18, 2024
edited
Loading

Codecov Report

Attention: Patch coverage is 0% with 18 lines in your changes missing coverage. Please review.

Project coverage is 57.17%. Comparing base (eff73dc) to head (59b51eb).
Report is 82 commits behind head on main.

Files with missing lines Patch % Lines
.../run/halo/app/infra/utils/FileTypeDetectUtils.java 0.00% 12 Missing ⚠️
...achment/endpoint/LocalAttachmentUploadHandler.java 0.00% 6 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff              @@
##               main    #7149      +/-   ##
============================================
+ Coverage     56.99%   57.17%   +0.17%     
- Complexity     3999     4047      +48     
============================================
  Files           714      719       +5     
  Lines         24110    24369     +259     
  Branches       1585     1600      +15     
============================================
+ Hits          13742    13932     +190     
- Misses         9756     9820      +64     
- Partials        612      617       +5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@guqing guqing force-pushed the fix/polyglot-file-xss branch from 2de1568 to 59b51eb Compare December 18, 2024 07:43
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@JohnNiang
Copy link
Member

/ping @halo-dev/sig-halo

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JohnNiang JohnNiang Awaiting requested review from JohnNiang

@LIlGG LIlGG Awaiting requested review from LIlGG

@ruibaby ruibaby Awaiting requested review from ruibaby

Assignees
No one assigned
Labels
area/core Issues or PRs related to the Halo Core kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
None yet
Milestone
2.20.x
Development

Successfully merging this pull request may close these issues.
2 participants
@guqing @JohnNiang