Merge pull request #12411 from Budibase/switch-to-blocklist-for-file-extensions

Move from an allow list to a block list of file extensions.
This commit is contained in:
Sam Rose 2023-11-21 12:09:21 +00:00 committed by GitHub
commit 2be8940334
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 73 additions and 43 deletions

View File

@ -1,4 +1,4 @@
import { ValidFileExtensions } from "@budibase/shared-core"
import { InvalidFileExtensions } from "@budibase/shared-core"
require("svelte/register")
@ -86,7 +86,10 @@ export const uploadFile = async function (
)
}
if (!env.SELF_HOSTED && !ValidFileExtensions.includes(extension)) {
if (
!env.SELF_HOSTED &&
InvalidFileExtensions.includes(extension.toLowerCase())
) {
throw new BadRequestError(
`File "${file.name}" has an invalid extension: "${extension}"`
)

View File

@ -35,6 +35,17 @@ describe("/api/applications/:appId/sync", () => {
})
})
it("should reject an upload with a malicious uppercase file extension", async () => {
await config.withEnv({ SELF_HOSTED: undefined }, async () => {
let resp = (await config.api.attachment.process(
"OHNO.EXE",
Buffer.from([0]),
{ expectStatus: 400 }
)) as unknown as APIError
expect(resp.message).toContain("invalid extension")
})
})
it("should reject an upload with no file", async () => {
let resp = (await config.api.attachment.process(
undefined as any,

View File

@ -96,45 +96,61 @@ export enum BuilderSocketEvent {
export const SocketSessionTTL = 60
export const ValidQueryNameRegex = /^[^()]*$/
export const ValidColumnNameRegex = /^[_a-zA-Z0-9\s]*$/g
export const ValidFileExtensions = [
"avif",
"css",
"csv",
"docx",
"drawio",
"editorconfig",
"edl",
"enc",
"export",
"geojson",
"gif",
"htm",
"html",
"ics",
"iqy",
"jfif",
"jpeg",
"jpg",
"json",
"log",
"md",
"mid",
"odt",
"pdf",
"png",
"ris",
"rtf",
"svg",
"tex",
"toml",
"twig",
"txt",
"url",
"wav",
"webp",
"xls",
"xlsx",
"xml",
"yaml",
"yml",
export const InvalidFileExtensions = [
"7z",
"action",
"apk",
"app",
"bat",
"bin",
"cab",
"cmd",
"com",
"command",
"cpl",
"csh",
"ex_",
"exe",
"gadget",
"inf1",
"ins",
"inx",
"ipa",
"isu",
"job",
"js",
"jse",
"ksh",
"lnk",
"msc",
"msi",
"msp",
"mst",
"osx",
"out",
"paf",
"php",
"pif",
"prg",
"ps1",
"reg",
"rgs",
"run",
"scr",
"sct",
"shb",
"shs",
"tar",
"u3p",
"vb",
"vbe",
"vbs",
"vbscript",
"wasm",
"workflow",
"ws",
"wsf",
"wsh",
"zip",
]