FileUpload options for Server Config #7071
Conversation
Codecov Report
@@ Coverage Diff @@
## master #7071 +/- ##
==========================================
- Coverage 93.89% 93.63% -0.26%
==========================================
Files 169 169
Lines 12468 12498 +30
==========================================
- Hits 11707 11703 -4
- Misses 761 795 +34
Continue to review full report at Codecov.
|
|
Closes #6995 |
|
@mtrezza i think due to the last security report on the community forum, we can set public and anonymous upload to false by default 👍 |
|
Yes, this was already discussed in #6995 (comment). |
|
Of course @mtrezza, I have shared my fork with you so you can fix all my other future PRs too 😉 |
There was a problem hiding this comment.
I agree with @Moumouls that we should work in a more sustainable solution for file security (I'd be happy to see a spec proposal @Moumouls), but I am ok in having this PR merged in the meantime. I still have two concerns before merging though:
- I believe that, with master key, the file should be uploaded regardless of the options;
- Before merging, we need to double check if all official SDKs are sending the session token headers when uploading a file. In the case they are, we are good to go. Otherwise, I am not so sure if we should merge this now.
|
Good points, I will look into that. @Moumouls As I mentioned earlier, please open a separate issue for your proposal and we'll be happy to discuss. |
|
I've just checked the JS SDK and it looks to send the header and even has the useMasterKey option to send the master key. |
|
I would be more than happy to work on an overarching PR that tackles this and other requested file features. To prevent “public” upload to every other class we use CLPs, so I think it makes sense to use the same for consistency. However, there is obviously no _File class to set the CLPs for. I propose creating a _File class that handles: -Tracking of file references for cleanup Although most of these features cover different issues, most of them depend on a _File class. |
|
Absolutely, this makes sense, and we can see by its scope that such a PR won't be done tomorrow. @Moumouls Improvement happens incrementally, so I'm glad to see that you also support this PR eventually and your concerns could be resolved. I'm looking forward to your proposal to further improve the approach to file security. This is an important step towards improving Parse Server security by disabling unrestricted file upload by default. A topic that has been much debated in 2020 in our community and beyond. I'm glad we could still make this improvement this year and maybe @davimacedo can plan for a release of Parse Server in the coming days to make this improvement available. Thanks @dblythy for his work and everyone for their feedback. |
I actually have done a good 80% of this, so I don't mind if you'd prefer to wait a week or two for the PR. It's up to you guys. |
|
Thanks for the status report @dblythy, if you are at 80% of the final implementation i will vote for waiting the final implementation ! 😃 |
@dblythy or @Moumouls Please open a new issue for this to discuss this thoroughly in an issue to decide on an approach, rather than discuss an already done approach. The scope as you described it earlier is too broad for that. |
fix tests Postgres Support Update parse to 2.19.0 (#7060) Fix Prettier (#7066) Remove cache clear on validateObjects Improve add class if not exist Improve modifying schema instead of clearing Improve enforce class exists Fix flaky Test Release 4.5.0 (#7070) * Release 4.5.0 * Update CHANGELOG.md Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com> * Improve braking change note * Create a breaking changes sub-section * Add release action Co-authored-by: Tom Fox <13188249+TomWFox@users.noreply.github.com> Improve issue templates & add PR template (#7051) * improved feature suggestion template * added test case chapter to bug report template * PR wording * added PR template * improved formatting in issue template * removed checkbox for concept due to new GH discussions process * improved wording * improved PR todo list * amended PR checklist; minor rewording * removed duplicate wording * add securtiy check section to contribution guide fix PR template file location (#7074) Optimize redundant logic used in queries (#7061) * Optimize redundant logic used in queries * Added CHANGELOG * Fixed comments and code style after recommendations. * Fixed code style after recommendation. * Improved explanation in comments * Added tests to for logic optimizations * Added two test cases more and some comments * Added extra test cases and fixed issue found with them. * Removed empty lines as requested. Co-authored-by: Pedro Diaz <p.diaz@wemersive.com> FileUpload options for Server Config (#7071) * New: fileUpload options to restrict file uploads * review changes * update review * Update helper.js * added complete fileUpload values for tests * fixed config validation * allow file upload only for authenicated user by default * fixed inconsistent error messages * consolidated and extended tests * minor compacting * removed irregular whitespace * added changelog entry * always allow file upload with master key * fix lint * removed fit Co-authored-by: Manuel Trezza <trezza.m@gmail.com> Fix: context for afterFind (#7078) * Fix: context for afterFind * Update CHANGELOG.md Co-authored-by: Manuel <trezza.m@gmail.com> Fix max listener warning from livequery server (#7083) * fix max listner warning * fix * Clean test log Run definitions pg fix fix: upgrade ws from 7.4.0 to 7.4.1 (#7098) Snyk has created this PR to upgrade ws from 7.4.0 to 7.4.1. See this package in npm: https://www.npmjs.com/package/ws See this project in Snyk: https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr fix: upgrade ldapjs from 2.2.2 to 2.2.3 (#7095) Snyk has created this PR to upgrade ldapjs from 2.2.2 to 2.2.3. See this package in npm: https://www.npmjs.com/package/ldapjs See this project in Snyk: https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr fix: upgrade semver from 7.3.2 to 7.3.4 (#7092) Snyk has created this PR to upgrade semver from 7.3.2 to 7.3.4. See this package in npm: https://www.npmjs.com/package/semver See this project in Snyk: https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr fix: upgrade uuid from 8.3.1 to 8.3.2 (#7101) Snyk has created this PR to upgrade uuid from 8.3.1 to 8.3.2. See this package in npm: https://www.npmjs.com/package/uuid See this project in Snyk: https://app.snyk.io/org/acinader/project/8c1a9edb-c8f5-4dc1-b221-4d6030a323eb?utm_source=github&utm_medium=upgrade-pr
|
🎉 This change has been released in version 5.0.0-beta.1 |
|
🎉 This change has been released in version 5.0.0 |
|
Is this feature anywhere documented? There's no |
|
@vince1995 Where did you find that link? We may have to correct that link. |
|
It's multiple times hardcoded in the README. 2 times with http and 2 times with https. |
|
@vince1995 Thanks, would you want to submit a PR to fix these broken links? |
|
@mtrezza but what would be the correct link? |
|
https://parseplatform.org/parse-server/api always redirects to the latest stable release API version I am not sure we can use a direct link to ParseServerOptions.html anymore. The API docs are now versioned, you can access a specific version by going to |
|
I don't know how the server works (because I don't know where the code is) but wouldn't it possible to add a middleware that checks if an version was provided in the url and if not add the latest release version? Or the master branch has always the docs updated too? |
|
Not something we want to look into at the moment, but please feel free to go ahead and change the links to the URL I mentioned above for now. |
Continuing on from #6997