08942494e3
### What
- filters cookies with the `payload-` prefix in `getExternalFile` by
default (if `externalFileHeaderFilter` is not used).
- Document in `externalFileHeaderFilter`, that the user should handle
the removing of the payload cookie.
### Why
In the Payload application, the `getExternalFile` function sends the
user's cookies to an external server when fetching media, inadvertently
exposing the user's session to that third-party service.
```ts
const headers = uploadConfig.externalFileHeaderFilter
? uploadConfig.externalFileHeaderFilter(Object.fromEntries(new Headers(req.headers)))
: { cookie: req.headers?.get('cookie') };
const res = await fetch(fileURL, {
credentials: 'include',
headers,
method: 'GET',
});
```
Although the
[externalFileHeaderFilter](https://payloadcms.com/docs/upload/overview#collection-upload-options)
function can strip sensitive cookies from the request, the default
config includes the session cookie, violating the secure-by-default
principle.
### How
- If `externalFileHeaderFilter` is not defined, any cookie beginning
with `payload-` is filtered.
- Added 2 tests: both for the case where `externalFileHeaderFilter` is
defined and for the case where it is not.
---
- To see the specific tasks where the Asana app for GitHub is being
used, see below:
- https://app.asana.com/0/0/1210561338171125
42 lines
2.2 KiB
TypeScript
42 lines
2.2 KiB
TypeScript
export const usersSlug = 'users'
|
|
export const mediaSlug = 'media'
|
|
export const relationSlug = 'relation'
|
|
export const audioSlug = 'audio'
|
|
export const enlargeSlug = 'enlarge'
|
|
export const withoutEnlargeSlug = 'without-enlarge'
|
|
export const focalNoSizesSlug = 'focal-no-sizes'
|
|
export const focalOnlySlug = 'focal-only'
|
|
export const imageSizesOnlySlug = 'image-sizes-only'
|
|
export const reduceSlug = 'reduce'
|
|
export const relationPreviewSlug = 'relation-preview'
|
|
export const mediaWithRelationPreviewSlug = 'media-with-relation-preview'
|
|
export const mediaWithoutRelationPreviewSlug = 'media-without-relation-preview'
|
|
export const mediaWithoutCacheTagsSlug = 'media-without-cache-tags'
|
|
export const adminUploadControlSlug = 'admin-upload-control'
|
|
export const adminThumbnailFunctionSlug = 'admin-thumbnail-function'
|
|
export const adminThumbnailWithSearchQueries = 'admin-thumbnail-with-search-queries'
|
|
export const adminThumbnailSizeSlug = 'admin-thumbnail-size'
|
|
export const unstoredMediaSlug = 'unstored-media'
|
|
export const versionSlug = 'versions'
|
|
export const animatedTypeMedia = 'animated-type-media'
|
|
export const customUploadFieldSlug = 'custom-upload-field'
|
|
export const hideFileInputOnCreateSlug = 'hide-file-input-on-create'
|
|
export const withMetadataSlug = 'with-meta-data'
|
|
export const withoutMetadataSlug = 'without-meta-data'
|
|
export const withOnlyJPEGMetadataSlug = 'with-only-jpeg-meta-data'
|
|
export const customFileNameMediaSlug = 'custom-file-name-media'
|
|
export const allowListMediaSlug = 'allow-list-media'
|
|
export const restrictFileTypesSlug = 'restrict-file-types'
|
|
export const noRestrictFileTypesSlug = 'no-restrict-file-types'
|
|
export const noRestrictFileMimeTypesSlug = 'no-restrict-file-mime-types'
|
|
export const skipSafeFetchMediaSlug = 'skip-safe-fetch-media'
|
|
export const skipSafeFetchHeaderFilterSlug = 'skip-safe-fetch-header-filter'
|
|
export const skipAllowListSafeFetchMediaSlug = 'skip-allow-list-safe-fetch-media'
|
|
export const listViewPreviewSlug = 'list-view-preview'
|
|
export const threeDimensionalSlug = 'three-dimensional'
|
|
export const constructorOptionsSlug = 'constructor-options'
|
|
export const bulkUploadsSlug = 'bulk-uploads'
|
|
|
|
export const fileMimeTypeSlug = 'file-mime-type'
|
|
export const svgOnlySlug = 'svg-only'
|