fix: GHSA-r899-h629-j84r

[mtrezza]

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • Enhanced file upload validation to properly detect and reject malformed Content-Type headers.
  • Improved error handling to provide clear "Invalid Content-Type" messages instead of unexpected fallback behavior.
  • Strengthened validation consistency for file uploads with unrecognized file extensions.

[parse-github-assistant]

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Tip

• Keep pull requests small. Large PRs will be rejected. Break complex features into smaller, incremental PRs.
• Use Test Driven Development. Write failing tests before implementing functionality. Ensure tests pass.
• Group code into logical blocks. Add a short comment before each block to explain its purpose.
• We offer conceptual guidance. Coding is up to you. PRs must be merge-ready for human review.
• Our review focuses on concept, not quality. PRs with code issues will be rejected. Use an AI agent.
• Human review time is precious. Avoid review ping-pong. Inspect and test your AI-generated code.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement. Our CI and AI review are safeguards, not development tools. If many issues are flagged, rethink your development approach. Invest more effort in planning and design rather than using review cycles to fix low-quality code.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ac10bf7c-2db1-47a6-92d5-469c3a393114

📥 Commits

Reviewing files that changed from the base of the PR and between 4d3465c and bbf7731.

📒 Files selected for processing (2)

• spec/ParseFile.spec.js
• src/Routers/FilesRouter.js

---

📝 Walkthrough

Walkthrough

FilesRouter.createHandler now computes isExtensionRecognized earlier and replaces the prior contentTypeExtension fallback with a strict type/subtype split of the Content-Type header. Malformed values (no slash, empty subtype) are rejected with "Invalid Content-Type.". Four new spec tests cover rejection and wildcard-bypass cases.

Changes

Strict Content-Type Validation in File Upload

Layer / File(s)	Summary
Stricter Content-Type parsing in createHandler src/Routers/FilesRouter.js, spec/ParseFile.spec.js	isExtensionRecognized is computed earlier; the contentTypeExtension fallback is replaced with explicit type/subtype splitting. Malformed Content-Type values now produce FILE_SAVE_ERROR with "Invalid Content-Type.". Four new tests assert rejection of image, image/, and extension-less filenames with bad Content-Type, and verify that fileExtensions: ['*'] bypasses the check.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• parse-community/parse-server#10191: Modifies the same createHandler code path for parsing upload Content-Type when a filename extension isn't recognized, directly overlapping with this PR's changes.
• parse-community/parse-server#10489: Also updates FilesRouter.js to handle malformed/unparseable Content-Type during extension blocklist validation and adds tests for those branches.
• parse-community/parse-server#10505: Changes FilesRouter.createHandler and spec/ParseFile.spec.js around fileExtensions validation to prevent extension blocklist bypass via mismatched Content-Type/extension combinations.

🚥 Pre-merge checks | ✅ 5 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request description is completely missing. No sections from the required template have been filled out.	Add a comprehensive pull request description following the template, including Issue, Approach, and completed Tasks sections to document the security fix.
Engage In Review Feedback	❓ Inconclusive	PR contains single commit with no iterative history; review comments are not accessible via local git repository, preventing verification of review feedback engagement.	Access the GitHub PR directly to inspect review comments and responses, or check if the PR has received any reviewer feedback yet.

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title 'fix: GHSA-r899-h629-j84r' follows the required prefix format and clearly indicates a security fix addressing a specific vulnerability.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Security Check	✅ Passed	The PR properly fixes CVE-2026-55778 by strictly validating malformed Content-Type headers when unrecognized file extensions are used, preventing content-type bypass attacks that could enable store...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ast-grep (0.43.0)

spec/ParseFile.spec.js

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}