Skip to content

Security for file uploads #2137

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zdmano opened this issue Jun 24, 2016 · 6 comments
Closed

Security for file uploads #2137

zdmano opened this issue Jun 24, 2016 · 6 comments
Labels
type:feature New feature or improvement of existing feature

Comments

@zdmano
Copy link

zdmano commented Jun 24, 2016
edited
Loading

Issue Description

We've managed to set-up an S3 bucket without any issues and file uploads work great.

My main concern is that anyone can upload files to my bucket without any security .

I've searched all around and even looked through the adapter and haven't seen anywhere a security check .

Testing this it turn out that anyone can make file uploads to my bucket as long as they know my appID

Steps to reproduce

Setup an S3 bucket .

Make a POST request to upload a file.
For example :
curl -X POST -H "X-Parse-Application-Id: <APP_ID>" -H "Content-Type: text/plain" -T "D:\test.txt" http://localhost/parse/files/test.txt

Expected Results

An unauthorized error as long as no session token( or any other authentication method ) was provided in the header.

Actual Outcome

{
 "url":"http://localhost/parse/files/<APP_ID>/fc80b2e510c27d544b0d845ddcfc88e4_test.txt",
 "name":"fc80b2e510c27d544b0d845ddcfc88e4_test.txt"
}

Environment Setup

  • Server
    • parse-server version: [2.2.13]
    • Localhost or remote server? (AWS, Heroku, Azure, Digital Ocean, etc): [Local && Heroku]
@flovilmart
Copy link
Contributor

This is the expected behavior. Historically, on parse.com, the files upload is open to all clients.

I believe the behavior you're trying to achieve can be implemented through a hook, like beforeFileSave that would be called when receiving he file upload.

On another note, I'm not sure the client SDK's send authentication information (like the sessionToken) when uploading a file to the server.

You may wanna look into that too.

Feel free to open a pull request to add that feature.

@montymxb
Copy link
Contributor

Closing as this is the normal behavior and is canon to how the original parse.com api functioned.

@kinosang
Copy link

Will beforeSave hook alive for Parse.File soon?

@flovilmart
Copy link
Contributor

flovilmart commented Dec 10, 2017
edited
Loading

@kinosang this is not in the plans, however, if you wish to write a PR for it, we'll gladly review it.

@uzaysan
Copy link

uzaysan commented Oct 20, 2019

Any progress on this? BeforeSave for Parse File would be really useful

@chongchungyin
Copy link

@kinosang @uzaysan you can have a look here https://docs.parseplatform.org/cloudcode/guide/#beforesavefile. For the usage you can have a look at the test cases.
https://github.com/parse-community/parse-server/blob/62048260c9b834f5a7d806b9970dd051408f9887/spec/CloudCode.spec.js

@mtrezza mtrezza mentioned this issue Nov 8, 2020
Closed
@dblythy dblythy mentioned this issue Nov 8, 2020
Closed
@mtrezza mtrezza added type:feature New feature or improvement of existing feature and removed type:improvement labels Dec 6, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:feature New feature or improvement of existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

FileUpload options for Server Config dblythy/parse-server
7 participants
@flovilmart @chongchungyin @zdmano @kinosang @montymxb @mtrezza @uzaysan