fix: issue #203 file type validation + security CVE fixes#204
Merged
fix: issue #203 file type validation + security CVE fixes#204
Conversation
fix: CI workflow fixes for protected branches
chore(main): release 2.3.1
fix: watermark thumbnails, custom logo display, and German translations
chore(main): release 2.3.2
…ic footer year (#108) fix: lightbox watermark loading, white label translations, and dynamic footer year
chore(main): release 2.3.3
fix: database migration restart bug, lightbox loading spinner, and watermark cache invalidation
chore(main): release 2.3.4
fix: dynamic website title from branding settings
chore(main): release 2.4.0
Resolved conflicts in CHANGELOG.md, backend/package.json, and frontend/package.json. Version set to 3.15.1.
Release v3.15.1: Merge beta to main
chore(main): release 2.5.0
- #194: Send full date format object instead of just format string to prevent JSON parse errors - #195: Remove non-functional forgot password link, fix README port 3005 -> 3000 - #196: Use ADMIN_PASSWORD env var in migration, update existing user in create-admin script instead of failing - #197: Convert camelCase filter keys to snake_case in photo export to match backend PhotoFilterBuilder
The "Allowed File Types" admin setting was stored in the database but never actually read during upload validation. Both frontend and backend used hardcoded MIME type lists, causing video uploads (e.g. MP4) to be rejected even when explicitly added to the setting. Changes: - Add getAllowedMimeTypes() to uploadSettings service that reads the general_allowed_file_types DB setting and converts extensions to MIME types - Backend admin upload route now resolves allowed types from settings before multer processes files (via resolveAllowedTypes middleware) - Backend gallery upload route uses dynamic allowed types from settings - Expose allowed_file_types in public settings API for gallery clients - Frontend PhotoUpload and UserPhotoUpload components now derive allowed MIME types from settings instead of hardcoded image-only lists - Add shared fileTypes.ts utility for extension-to-MIME conversion Closes #203
Frontend (6 → 0 vulnerabilities): - axios: update to fix DoS via __proto__ key in mergeConfig (CVE-2026-25639) - swiper: update to fix prototype pollution (critical) - rollup: update to fix arbitrary file write via path traversal - minimatch: update to fix multiple ReDoS vulnerabilities - ajv: update to fix ReDoS with $data option - markdown-it: update to fix ReDoS Backend (32 → 0 vulnerabilities): - multer: update to fix DoS via incomplete cleanup and resource exhaustion - minimatch: update to fix multiple ReDoS vulnerabilities - Add npm overrides for transitive dependencies: - fast-xml-parser >=5.3.8 (fixes XSS, DoS, stack overflow via AWS SDK) - qs >=6.14.2 (fixes arrayLimit bypass DoS via Express) - tar >=7.5.8 (fixes path traversal and hardlink attacks via sqlite3) Docker: - Pin nginx base image to 1.27-alpine in Dockerfile.prod - Update security comments in backend Dockerfile - Existing apk upgrade --no-cache ensures OpenSSL/libexpat CVEs are patched at build time (OpenSSL 3.5.5, Alpine 3.23.3)
- Upgrade nginx base from 1.27-alpine to 1.28-alpine (Alpine 3.23, OpenSSL 3.5.5) - Upgrade npm to latest in backend production stage to fix tar, minimatch, brace-expansion CVEs - Add brace-expansion and minimatch overrides for app-level transitive deps - Remove incompatible body-parser v2 override (breaks Express 4 JSON parsing) - Remove npm upgrade from builder stages (npm 11 breaks npm ci with existing lockfile)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
allowed_file_typesDB setting is now dynamically read throughout the entire upload pipeline (frontend file picker, JS validation, backend multer filter, content validator)Changes
backend/src/services/uploadSettings.js— Dynamic MIME type resolution from DB settingsbackend/src/routes/adminPhotos.js&gallery.js— Use dynamic allowed types instead of hardcoded listsbackend/src/routes/publicSettings.js— Exposeallowed_file_typesto frontendfrontend/src/utils/fileTypes.ts— Shared extension-to-MIME mapping utilitiesfrontend/src/components/admin/PhotoUpload.tsx&gallery/UserPhotoUpload.tsx— Dynamic file type validationbackend/Dockerfile&frontend/Dockerfile&frontend/Dockerfile.prod— Security hardeningbackend/package.json— npm overrides for transitive dependency CVEsTest plan
npm auditreturns 0 vulnerabilities for both frontend and backend