From e1cfe247fbc8fecfd4b1cad04f764f83dcc4ea58 Mon Sep 17 00:00:00 2001 From: Araksya Gevorgyan Date: Fri, 31 Oct 2025 14:31:15 +0100 Subject: [PATCH 1/4] docs(upload): add security configuration documentation --- docusaurus/docs/cms/features/media-library.md | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/docusaurus/docs/cms/features/media-library.md b/docusaurus/docs/cms/features/media-library.md index fe4e5c8c7e..f3a0827d56 100644 --- a/docusaurus/docs/cms/features/media-library.md +++ b/docusaurus/docs/cms/features/media-library.md @@ -111,6 +111,7 @@ When using the default upload provider, the following specific configuration opt | `providerOptions.localServer` | Options that will be passed to upon which the Upload server is build (see [local server configuration](#local-server)) | Object | - | | `sizeLimit` | Maximum file size in bytes (see [max file size](#max-file-size)) | Integer | `209715200`

(200 MB in bytes, i.e., 200 x 1024 x 1024 bytes) | | `breakpoints` | Allows to override the breakpoints sizes at which responsive images are generated when the "Responsive friendly upload" option is set to `true` (see [responsive images](#responsive-images)) | Object | `{ large: 1000, medium: 750, small: 500 }` | +| `security` | Configures validation rules for uploaded files to enhance media security | Object | - | :::note The Upload request timeout is defined in the server options, not in the Upload plugin options, as it's not specific to the Upload plugin but is applied to the whole Strapi server instance (see [upload request timeout](#upload-request-timeout)). @@ -145,6 +146,10 @@ module.exports = ({ env })=>({ small: 500, xsmall: 64 }, + security: { + allowedTypes: ['image/*', 'application/pdf'], + deniedTypes: ['application/x-sh', 'application/x-dosexec'] + }, }, }, }); @@ -171,6 +176,10 @@ export default () => ({ small: 500, xsmall: 64 }, + security: { + allowedTypes: ['image/*', 'application/pdf'], + deniedTypes: ['application/x-sh', 'application/x-dosexec'] + }, }, }, }) @@ -319,6 +328,55 @@ export default { +#### Security + + +Configures validation rules for uploaded files to enhance media security. + +:::note +It's best to define either `allowedTypes` or `deniedTypes`, not both, to avoid conflicts in file validation logic. +::: + +You can provide them by creating or editing [the `/config/plugins` file](/cms/configurations/plugins). The following example sets the `allowedTypes` filter: + + + + + +```js title="/config/plugins.js" +module.exports = { + // ... + upload: { + config: { + security: { + allowedTypes: ['image/*', 'application/pdf'] + }, + } + } +}; +``` + + + + + +```js title="/config/plugins.ts" +export default { + // ... + upload: { + config: { + security: { + allowedTypes: ['image/*', 'application/pdf'] + }, + } + } +}; +``` + + + + + #### Upload request timeout By default, the value of `strapi.server.httpServer.requestTimeout` is set to 330 seconds. This includes uploads. From 99a4594818e1f9bc1d96112b160043b6b170f7c3 Mon Sep 17 00:00:00 2001 From: Araksya Gevorgyan Date: Fri, 31 Oct 2025 14:57:53 +0100 Subject: [PATCH 2/4] docs(upload): improve description wording --- docusaurus/docs/cms/features/media-library.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docusaurus/docs/cms/features/media-library.md b/docusaurus/docs/cms/features/media-library.md index f3a0827d56..bd5a230bda 100644 --- a/docusaurus/docs/cms/features/media-library.md +++ b/docusaurus/docs/cms/features/media-library.md @@ -330,8 +330,10 @@ export default { #### Security +The Upload plugin validates files based on their actual MIME type rather than the declared file extension. +Only files matching the defined security rules are uploaded; others are filtered out. -Configures validation rules for uploaded files to enhance media security. +The `security` configuration provides two options: `allowedTypes` or `deniedTypes`, which let you control which file types can or cannot be uploaded. :::note It's best to define either `allowedTypes` or `deniedTypes`, not both, to avoid conflicts in file validation logic. From 60084d40b0316a9724248eea73fc60dd8f4dd579 Mon Sep 17 00:00:00 2001 From: Pierre Wizla <4233866+pwizla@users.noreply.github.com> Date: Fri, 31 Oct 2025 17:25:58 +0100 Subject: [PATCH 3/4] Update docusaurus/docs/cms/features/media-library.md --- docusaurus/docs/cms/features/media-library.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docusaurus/docs/cms/features/media-library.md b/docusaurus/docs/cms/features/media-library.md index bd5a230bda..1a747314f5 100644 --- a/docusaurus/docs/cms/features/media-library.md +++ b/docusaurus/docs/cms/features/media-library.md @@ -333,7 +333,7 @@ export default { The Upload plugin validates files based on their actual MIME type rather than the declared file extension. Only files matching the defined security rules are uploaded; others are filtered out. -The `security` configuration provides two options: `allowedTypes` or `deniedTypes`, which let you control which file types can or cannot be uploaded. +The `security` configuration provides 2 options: `allowedTypes` or `deniedTypes`, which let you control which file types can or cannot be uploaded. :::note It's best to define either `allowedTypes` or `deniedTypes`, not both, to avoid conflicts in file validation logic. From 828c4f258190991b4a2ddcd2bca501e06c7fee66 Mon Sep 17 00:00:00 2001 From: Araksya Gevorgyan Date: Tue, 4 Nov 2025 15:42:13 +0100 Subject: [PATCH 4/4] feat(docs): modifying description --- docusaurus/docs/cms/features/media-library.md | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/docusaurus/docs/cms/features/media-library.md b/docusaurus/docs/cms/features/media-library.md index 1a747314f5..246f641869 100644 --- a/docusaurus/docs/cms/features/media-library.md +++ b/docusaurus/docs/cms/features/media-library.md @@ -147,7 +147,7 @@ module.exports = ({ env })=>({ xsmall: 64 }, security: { - allowedTypes: ['image/*', 'application/pdf'], + allowedTypes: ['image/*', 'application/*'], deniedTypes: ['application/x-sh', 'application/x-dosexec'] }, }, @@ -177,7 +177,7 @@ export default () => ({ xsmall: 64 }, security: { - allowedTypes: ['image/*', 'application/pdf'], + allowedTypes: ['image/*', 'application/*'], deniedTypes: ['application/x-sh', 'application/x-dosexec'] }, }, @@ -331,15 +331,15 @@ export default { #### Security The Upload plugin validates files based on their actual MIME type rather than the declared file extension. -Only files matching the defined security rules are uploaded; others are filtered out. +Only files matching the defined security rules are uploaded. The `security` configuration provides 2 options: `allowedTypes` or `deniedTypes`, which let you control which file types can or cannot be uploaded. :::note -It's best to define either `allowedTypes` or `deniedTypes`, not both, to avoid conflicts in file validation logic. +You can use `allowedTypes` and `deniedTypes` separately or together to fine-tune which files are accepted. Files must match an allowed type and must not match any denied type. If you use a wildcard like `*` in `allowedTypes`, you can narrow down the validation by specifying exceptions in `deniedTypes`. ::: -You can provide them by creating or editing [the `/config/plugins` file](/cms/configurations/plugins). The following example sets the `allowedTypes` filter: +You can provide them by creating or editing [the `/config/plugins` file](/cms/configurations/plugins). The following is an example of how to combine `allowedTypes` and `deniedTypes`: @@ -351,7 +351,8 @@ module.exports = { upload: { config: { security: { - allowedTypes: ['image/*', 'application/pdf'] + allowedTypes: ['image/*', 'application/*'], + deniedTypes: ['application/x-sh', 'application/x-dosexec'] }, } } @@ -368,7 +369,8 @@ export default { upload: { config: { security: { - allowedTypes: ['image/*', 'application/pdf'] + allowedTypes: ['image/*', 'application/*'], + deniedTypes: ['application/x-sh', 'application/x-dosexec'] }, } }