FS-11939 - Add separate hash encoding for filename and mimetype to address the vulnerability (#597)

gary-singh-filestack · sethk4783 · commit 697a975d4ba7 · 2025-04-25T11:35:34.000+05:30
* resolve test cases

* remove filehash as required from /start response

* change filehash to metahash
diff --git a/src/lib/api/upload/uploaders/s3.spec.ts b/src/lib/api/upload/uploaders/s3.spec.ts
@@ -65,6 +65,7 @@ const testHost = 'https://filestack-test.com';
 const mockUploadId = '123132123';
 const mockRegion = 'test-region';
 const mockedUri = '/sometest';
+const mockMetaHash= 'test'
 const s3Url = testHost + '/fakes3';
 
 const mockStart = jest.fn().mockName('multipart/start');
@@ -100,6 +101,7 @@ describe('Api/Upload/Uploaders/S3', () => {
       region: mockRegion,
       upload_id: mockUploadId,
       location_url: testHost,
+      metahash: mockMetaHash,
     });
 
     mockUpload.mockReturnValue({
@@ -121,6 +123,7 @@ describe('Api/Upload/Uploaders/S3', () => {
       mimetype: 'test_mimetype',
       status: 'test_status',
       upload_tags: { test: 123 },
+      metahash: mockMetaHash,
     });
   });
 
@@ -224,6 +227,7 @@ describe('Api/Upload/Uploaders/S3', () => {
         region: mockRegion,
         upload_id: mockUploadId,
         location_url: testHost.replace('https://', ''),
+        metahash: mockMetaHash,
       });
 
       const u = new S3Uploader({});
@@ -245,6 +249,7 @@ describe('Api/Upload/Uploaders/S3', () => {
         region: mockRegion,
         upload_id: mockUploadId,
         location_url: testHost.replace('https://', ''),
+        metahash: mockMetaHash,
       });
 
       const u = new S3Uploader({});
@@ -264,6 +269,7 @@ describe('Api/Upload/Uploaders/S3', () => {
         region: mockRegion,
         upload_id: mockUploadId,
         location_url: testHost.replace('https://', ''),
+        metahash: mockMetaHash,
       });
 
       interceptorS3.once().reply(200, s3Callback, {});
@@ -288,6 +294,7 @@ describe('Api/Upload/Uploaders/S3', () => {
         upload_id: mockUploadId,
         location_region: 'test',
         location_url: testHost.replace('https://', ''),
+        metahash: mockMetaHash,
       });
 
       interceptorUpload.reply(200, function(_, data) {
@@ -495,6 +502,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           upload_id: mockUploadId,
           location_url: testHost,
           upload_type: 'intelligent_ingestion',
+          metahash: mockMetaHash,
         });
       });
 
@@ -571,6 +579,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           },
           fii: true,
           uri: mockedUri,
+          metahash: mockMetaHash,
         });
       });
 
@@ -647,6 +656,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           },
           fii: true,
           uri: mockedUri,
+          metahash: mockMetaHash,
         });
       });
 
@@ -732,6 +742,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           upload_id: mockUploadId,
           location_url: testHost,
           upload_type: 'intelligent_ingestion',
+          metahash: mockMetaHash,
         });
 
         interceptorS3.reply(400, {
@@ -781,6 +792,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           upload_id: mockUploadId,
           location_url: testHost,
           upload_type: 'intelligent_ingestion',
+          metahash: mockMetaHash,
         });
 
         let networkFail = true;
@@ -847,6 +859,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           region: mockRegion,
           upload_id: mockUploadId,
           location_url: testHost,
+          metahash: mockMetaHash,
         });
 
         let networkFail = true;
@@ -948,6 +961,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           location: DEFAULT_STORE_LOCATION,
         },
         uri: mockedUri,
+        metahash: mockMetaHash,
       });
 
       expect(res[0].handle).toEqual('test_handle');
@@ -1021,6 +1035,7 @@ describe('Api/Upload/Uploaders/S3', () => {
           location: DEFAULT_STORE_LOCATION,
         },
         uri: mockedUri,
+        metahash: mockMetaHash,
       });
 
       expect(res[0].handle).toEqual('test_handle');
diff --git a/src/lib/api/upload/uploaders/s3.ts b/src/lib/api/upload/uploaders/s3.ts
@@ -44,6 +44,7 @@ export interface UploadPayload {
   upload_id?: number;
   location_url?: string;
   location_region?: string;
+  metahash?: string;
 }
 
 export class S3Uploader extends UploaderAbstract {
@@ -213,6 +214,7 @@ export class S3Uploader extends UploaderAbstract {
       upload_id: payload.upload_id,
       region: payload.region,
       alt: payload.file.alt,
+      metahash: payload.metahash,
     };
 
     if (this.uploadMode === UploadMode.INTELLIGENT || (this.uploadMode === UploadMode.FALLBACK && fiiFallback)) {
@@ -688,7 +690,7 @@ export class S3Uploader extends UploaderAbstract {
     return FsRequest.post(
       `${this.getUploadUrl(id)}/multipart/complete`,
       {
-        ...this.getDefaultFields(id, ['apikey', 'policy', 'signature', 'uri', 'region', 'upload_id', 'fii', 'alt'], true),
+        ...this.getDefaultFields(id, ['apikey', 'policy', 'signature', 'uri', 'region', 'upload_id', 'fii', 'alt', 'metahash'], true),
         // method specific keys
         filename: payload.file.name,
         mimetype: payload.file.type,
