storage-s3: Changing uploaded Media fails with "Blocked unsafe attempt" in v3.43.0 #12876
Description
Describe the Bug
s3 storage: Changing an image that has already been uploaded throws the following error: "An error occurred while uploading the file.. Blocked unsafe attempt to http://xxx" in Payload v3.43.0.
Earlier versions are not affected; there is no error after downgrading to version 3.42.
Thanks in advance for checking this out.
Link to the code that reproduces this issue
pnpx create-payload-app@latest -t website
Reproduction Steps
These steps are based on the Website template:
1.) Enable the s3 storage plugin:
s3Storage({
collections: {
media: true,
},
bucket: process.env.S3_BUCKET_NAME || '',
config: {
region: process.env.S3_REGION || '',
endpoint: process.env.S3_ENDPOINT || '',
credentials: {
accessKeyId: process.env.S3_ACCESS_KEY || '',
secretAccessKey: process.env.S3_SECRET_KEY || '',
},
},
}),-
Upload an image to the Media collection – this works without any issues.
-
Edit the image, for example by changing the alt text, and click Save.
-
An error is thrown and the image is not updated. See the error in the logs:
err: {
"type": "FileRetrievalError",
"message": "An error occurred while uploading the file.. Blocked unsafe attempt to http://localhost:3020/api/media/file/dummy-upload.png",
...}Which area(s) are affected? (Select all that apply)
plugin: cloud-storage
Environment Info
Binaries:
Node: 20.19.0
npm: 10.8.2
Yarn: N/A
pnpm: 10.3.0
Relevant Packages:
payload: 3.43.0
next: 15.3.0
@payloadcms/db-mongodb: 3.43.0
@payloadcms/email-nodemailer: 3.43.0
@payloadcms/graphql: 3.43.0
@payloadcms/live-preview: 3.43.0
@payloadcms/live-preview-react: 3.43.0
@payloadcms/next/utilities: 3.43.0
@payloadcms/payload-cloud: 3.43.0
@payloadcms/plugin-cloud-storage: 3.43.0
@payloadcms/plugin-form-builder: 3.43.0
@payloadcms/plugin-nested-docs: 3.43.0
@payloadcms/plugin-redirects: 3.43.0
@payloadcms/plugin-seo: 3.43.0
@payloadcms/richtext-lexical: 3.43.0
@payloadcms/storage-s3: 3.43.0
@payloadcms/translations: 3.43.0
@payloadcms/ui/shared: 3.43.0
react: 19.1.0
react-dom: 19.1.0
Operating System:
Platform: darwin
Arch: arm64
Version: Darwin Kernel Version 24.5.0: Tue Apr 22 19:53:27 PDT 2025; root:xnu-11417.121.6~2/RELEASE_ARM64_T6041
Available memory (MB): 24576
Available CPU cores: 12
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Development
Participants
Activity
github-actions commentedon Jun 20, 2025
Please add a reproduction in order for us to be able to investigate.
Depending on the quality of reproduction steps, this issue may be closed if no reproduction is provided.
Why was this issue marked with the
invalid-reproductionlabel?To be able to investigate, we need access to a reproduction to identify what triggered the issue. We prefer a link to a public GitHub repository created with
create-payload-app@latest -t blankor a forked/branched version of this repository with tests added (more info in the reproduction-guide).To make sure the issue is resolved as quickly as possible, please make sure that the reproduction is as minimal as possible. This means that you should remove unnecessary code, files, and dependencies that do not contribute to the issue. Ensure your reproduction does not depend on secrets, 3rd party registries, private dependencies, or any other data that cannot be made public. Avoid a reproduction including a whole monorepo (unless relevant to the issue). The easier it is to reproduce the issue, the quicker we can help.
Please test your reproduction against the latest version of Payload to make sure your issue has not already been fixed.
I added a link, why was it still marked?
Ensure the link is pointing to a codebase that is accessible (e.g. not a private repository). "example.com", "n/a", "will add later", etc. are not acceptable links -- we need to see a public codebase. See the above section for accepted links.
Useful Resources
fedosev commentedon Jun 20, 2025
Same issue without s3 (local storage). It seems to be an issue after adding safeFetch. There is no checking for allowList. Was there some sort of merge issues? packages/payload/src/uploads/getExternalFile.ts
JayBee007 commentedon Jun 20, 2025
The issue is with how isSafeIp works, more info here #12870
luochuanyuewu commentedon Jun 21, 2025
Same issue here after upgrade to 3.43
virus-rpi commentedon Jun 22, 2025
i have the same error with the vercel blob storage
JesperWe commentedon Jun 23, 2025
Same issue here using Digital Ocean S3 storage
tsemachh commentedon Jun 23, 2025
@nettags this happens also on GCS and local storage , this is regression because of the change done by @kendelljoseph
#12622 there are also remarks there , this needs to get prioritiy
lukebennett commentedon Jun 23, 2025
Yes, totally broken here too (using R2 via S3 but doesn't appear to be provider specific). Can't update any uploads at the moment.
TwR-Slice commentedon Jun 23, 2025
+1 unable to edit
roymandev commentedon Jun 24, 2025
+1 unable to edit
37 remaining items
kendelljoseph commentedon Jul 2, 2025
@tsemachh
The fix, #13018 should address this problem as well since you are using a storage adapter.
The upload operation that triggers
getExternalFile,payload/packages/payload/src/uploads/generateFileData.ts
Line 99 in babcd59
Should happen only when the url is not a local.
payload/packages/payload/src/uploads/generateFileData.ts
Line 93 in babcd59
However it's possible that upload collection document url you are using has a local address.
This fix, #13018, may not solve what you described.
I would need to know more about your local config, or document, to understand why external fetches are being triggered for local resources. I haven't been able to recreate that problem so far, I'll be watching for your recreation notes.
tsemachh commentedon Jul 2, 2025
O.k. will try tomorrow to set up public GitHub with the recreation on localhost with localstorage
tsemachh commentedon Jul 3, 2025
@kendelljoseph nailed it:
look at: https://github.com/shefing/bulkuploadbug
I added GCS (not enabled) and beforeValidate hook and I managed to recreate it
Use posts add research document then edit it after creation
fix: check hostname of upload url (#13018)
kendelljoseph commentedon Jul 3, 2025
@tsemachh using your reproduction and the GCS storage plugin I was unable to trigger a result related to this issue.
I did get this error when trying to update:
Which is unrelated.
tsemachh commentedon Jul 3, 2025
Try to upload pdf then after saving try to edit the upload by adding related posts
tsemachh commentedon Jul 4, 2025
@kendelljoseph I upgraded the test to 3.45 and the test now works o.k.
However in my repo upgrading to 3.45 I still see same error.
I will try maybe next week to recreate it in the test repo , for now you can ignore this.
Here's a readable version of the stack trace from the provided error log:
Error Type: FileRetrievalError
Message: אירעה בעיה בזמן העלאת הקובץ. Blocked unsafe attempt to http://localhost:3000/api/research-documents/file/summerwork.pdf
Status: 500
Environment: Development
User: tsemachhadad
Hostname: Tsemachs-MacBook-Pro.local
Stack Trace:
File:
/Users/tsemachhadad/devemada/emda2/node_modules/payload/dist/uploads/generateFileData.js:53:19File:
node:internal/process/task_queues:105:5File:
/Users/tsemachhadad/devemada/emda2/node_modules/payload/dist/collections/operations/updateByID.js:80:61File:
/Users/tsemachhadad/devemada/emda2/node_modules/payload/dist/collections/endpoints/updateByID.js:16:17File:
/Users/tsemachhadad/devemada/emda2/node_modules/payload/dist/utilities/handleEndpoints.js:169:26File:
/Users/tsemachhadad/devemada/emda2/.next/server/chunks/node_modules_@payloadcms_1f8018f9._.js:6595:26File:
/Users/tsemachhadad/devemada/emda2/node_modules/next/dist/compiled/next-server/app-route-turbo.runtime.dev.js:26:34112File:
/Users/tsemachhadad/devemada/emda2/node_modules/next/dist/compiled/next-server/app-route-turbo.runtime.dev.js:26:41338AI Summary:
The error occurred during a file upload attempt to
http://localhost:3000/api/research-documents/file/summerwork.pdf. TheFileRetrievalErrorindicates a blocked unsafe attempt, likely due to security restrictions or misconfiguration in the file upload process. The issue originates in thegenerateFileDatafunction within the Payload CMS library and propagates through Next.js server-side rendering and request handling. Check the file upload configuration, security policies (e.g., CORS, Content Security Policy), or the specified URL for potential issues.`]simovicaleksa commentedon Jul 6, 2025
Hello guys, I should probably open an issue for this but it seems related to this closed one.
Problem
I have started experiencing the same issue in the original post after adding
beforeOperationhook to mymediacollection config. Interestingly, it only happens in production when I try to update an existing document by changing for examplealttext. Changing the entire image does not seem to cause any trouble.Besides not being able to save the new document configuration, I'm experiencing a weird bug where once I start editing the text fields, my writing gets interrupted by cursor moving to the end of the string (video example attached).
Once I finish editing the field and click "save", the console logs the following error:
ERROR: There was a problem while uploading the file. Blocked unsafe attempt to https://example.com/api/media/file/c33814713f7e4190b7f3aa661b4c9629.jpgSetting
skipSafeFetchtotruefixes my issue inproduction, but it also introduces the cursor bug in thedev.2025-07-06.02-15-11.mp4
Media Collection Config
Additional Information
beforeOperationhook to mymediacollectiondev3.45.0skipSafeFetchis set tofalseadminapp through a reverse proxyQuestion
What exactly does the
safeFetchdo? I couldn't find anything in the docs about it. Also any ideas for fixing the cursor bug, or what could be causing it?github-actions commentedon Jul 7, 2025
🚀 This is included in version v3.46.0
appfresheners commentedon Jul 9, 2025
Hi @kendelljoseph
Is this supposed to work locally. i have the same issue on v3.46.0 using http://localhost:3000
github-actions commentedon Jul 17, 2025
This issue has been automatically locked.
Please open a new issue if this issue persists with any additional detail.