TL;DR
PayloadCMS v3.46.0 introduces a new security feature for restricting file uploads by type, along with several important bug fixes across the platform. This release enhances security for file uploads, fixes issues with MongoDB data handling, improves Next.js integration, and addresses UI problems. Developers using the redirects plugin will need to perform a migration to ensure unique 'from' fields.
Highlight of the Release
- New file upload restriction feature to prevent unwanted file types
- Enhanced security with proper hostname verification for upload URLs
- Fixed MongoDB data transformation issues
- Improved Next.js integration with collection-level live preview config
- Fixed redirects plugin to prevent duplicate 'from' URLs
Migration Guide
Redirects Plugin Migration
If you're using the plugin-redirects plugin, this release requires a migration as it adds unique: true to the from field. To successfully migrate:
-
Check for duplicates: Ensure there are no duplicate from values in your existing redirects collection.
-
Clean up data: Before applying this update, you must remove or modify any duplicate entries in your redirects collection.
-
Update the plugin: After cleaning up your data, update to the latest version of the plugin.
This change is necessary to prevent errors and unpredictable behavior that occurs when multiple redirects share the same from URL, as the application wouldn't know which one to follow.
Upgrade Recommendations
This release is recommended for all users due to important security fixes and bug corrections.
- Priority: Medium-High
- Timing: Plan to upgrade within your next development cycle
Before upgrading:
- If you use the redirects plugin, check for and resolve any duplicate
from values in your redirects collection
- Review your file upload configurations if you want to take advantage of the new file restriction feature
- Test the upgrade in a development environment before deploying to production
The security improvements for upload URL verification and the various bug fixes make this a valuable update for all PayloadCMS users.
Bug Fixes
Security and Upload Fixes
- Upload URL Security: Fixed hostname verification for upload URLs by properly checking IP addresses. Previously, hostnames were being verified by
isSafeIp without resolving them to IP addresses first, creating a potential security vulnerability.
UI Improvements
- Change Password Button: Fixed an issue where the change password button was hidden when a user had full field access.
- Relationship Input: Increased the timeout for opening list drawer in RelationshipInput from the previous value to 100ms, addressing issues where the drawer wouldn't open properly.
Next.js Integration
- Live Preview Config: Fixed collection-level live preview configuration in Next.js integration that was broken in a previous update (#12860).
- Reset Password: Added token to reset password initialState to ensure the token doesn't get passed through as
undefined, fixing the broken reset password UI.
MongoDB and Data Handling
- Data Transformation: Fixed an issue where
updateOne was mutating the data object without transforming it for read operations when returning was set to false. This caused problems when using that data object later since all IDs were mutated to objectIDs and never transformed back.
- Custom Array ID Fields: Fixed deduplication of custom array ID fields. Previously, when adding a custom ID field to an array's config, both the default field provided by Payload and the custom ID field existed in the resulting config, causing lookup problems.
Plugin Fixes
- Redirects Plugin: Updated the
from field in the redirects plugin to add unique: true to prevent errors in redirect logic. This prevents creating multiple redirects with the same from URL, which would cause unpredictable behavior.
New Features
Restricted File Upload Check
PayloadCMS now includes a new security feature that allows you to restrict file uploads by type. This is implemented through the new restrictedFileTypes option (default: false) for upload collections.
When enabled, this feature prevents files on a restricted list from being uploaded, enhancing security by giving developers more control over what file types can be uploaded to their application.
To configure this feature:
- Set
[Collection].upload.restrictedFileTypes to true to enable the restriction
- Set
[Collection].upload.mimeType to specify allowed file type(s)
This feature is particularly useful for applications that need to limit uploads to specific file types for security or organizational purposes.
Security Updates
Upload URL Security Enhancement
A significant security fix was implemented to properly verify hostnames in upload URLs. The update adds DNS lookup functionality to resolve hostnames to IP addresses before verification:
import { lookup } from 'dns/promises'
// ...
const { address } = await lookup(hostname)
// ...
return isSafeIp(address)
Previously, hostnames were being directly verified by the isSafeIp function without first resolving them to IP addresses, which could potentially allow malicious uploads from unsafe sources.
File Upload Restrictions
The new restrictedFileTypes feature for upload collections adds another layer of security by allowing developers to prevent certain file types from being uploaded to their application, reducing the risk of malicious file uploads.
Performance Improvements
This release doesn't include specific performance improvements as the main focus was on security enhancements and bug fixes. However, the CI now includes a new "analyze" step that analyzes bundle sizes for the payload, @payloadcms/ui, @payloadcms/next, and @payloadcms/richtext-lexical packages, which will help monitor and optimize performance in future releases.
Impact Summary
PayloadCMS v3.46.0 brings important security enhancements and bug fixes that improve the overall stability and security of the platform. The new file upload restriction feature gives developers more control over what files can be uploaded to their application, while the fix for hostname verification in upload URLs addresses a potential security vulnerability.
For developers using the redirects plugin, this update requires attention as it introduces a unique constraint on the 'from' field, necessitating data cleanup before upgrading. The MongoDB data transformation fix resolves an issue that could cause unexpected behavior when working with data objects after database operations.
Next.js integration improvements fix issues with live preview configuration and reset password functionality, enhancing the developer and user experience. UI fixes for the change password button visibility and relationship input drawer behavior address usability issues reported by users.
Overall, this release focuses on security, stability, and usability improvements across the platform, making it a recommended upgrade for all PayloadCMS users.
Full Release Notes
🚀 Features
🐛 Bug Fixes
- deduplicate custom array id fields (#13064) (e6f8ca6)
- check hostname of upload url (#13018) (30fc7e3)
- db-mongodb: updateOne mutates the data object and does not transform it for read (#13065) (6d5cc84)
- next: adds token to reset password initialState (#13067) (f4f13a2)
- next: respect collection-level live preview config (#13036) (f49eeb1)
- plugin-redirects: make 'from' field unique to prevent errors in redirect logic (#12964) (50c2f8b)
- ui: increase timeout for opening list drawer in RelationshipInput (#13031) (2650eb7)
- ui: change password button is hidden when user has full field access (#12988) (1d9ad6f)
🧪 Tests
⚙️ CI
🤝 Contributors
