[MAGNOLIA-8942] BinaryValidator doesn't allow the upload of js files to the Resources app Created: 31/May/23  Updated: 10/Jul/23  Resolved: 21/Jun/23

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.2.34
Fix Version/s: 6.3.0, 6.2.36

Type: Bug Priority: Neutral
Reporter: Carlos Cantalapiedra Assignee: Jaromir Sarf
Resolution: Fixed Votes: 0
Labels: VN-Testing
Σ Remaining Estimate: Not Specified Remaining Estimate: Not Specified
Σ Time Spent: 1.5d Time Spent: 1.5d
Σ Original Estimate: Not Specified Original Estimate: Not Specified

Attachments: File test.js    
Issue Links:
Cloners
is cloned by MAGNOLIA-8993 CLONE - BinaryValidator doesn't allow... Closed
Problem/Incident
causality
Sub-Tasks:
Key
Summary
Type
Status
Assignee
MAGNOLIA-8943 Implementation Sub-task Completed Jaromir Sarf  
MAGNOLIA-8944 Code review Sub-task Completed Quach Hao Thien  
MAGNOLIA-8945 Pre-Integration QA Sub-task Completed Quach Hao Thien  
MAGNOLIA-8946 QA Sub-task Closed Antonín Juran  
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Release notes required:
Yes
Date of First Response:
Sprint: Nucleus 38, Nucleus 39
Story Points: 2
Team: Nucleus
Work Started:
Approved:
Yes

 Description   

Steps to reproduce

  1. Create a JS file which contains <script", "onload=" or "onLoad=" tags
  2. Go to Resources app and try to upload the file
  3. Check it fails because the file is "unsecure"

Expected results

The file is uploaded without restrictions

Actual results

Upload is aborted

Workaround

Create the file manually and copy the full code

Development notes

N/A



 Comments   
Comment by Quach Hao Thien [ 01/Jun/23 ]

Discovery

The tika.detect(bis) returns the wrong mimetype, which causes the next unnecessary validating for SVG. It could be replaced by tika.detect(file) that check the file content and file extension for a more precise result.

 

Generated at Mon Feb 12 04:37:11 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.