Merge branch 'master' into chore/lint_imports

2023-11-21 13:51:39 +01:00 · 2023-11-21 13:51:39 +01:00 · 3a3658fd03
parent 16af6ce352 2be8940334
commit 3a3658fd03
4 changed files with 75 additions and 46 deletions
--- a/packages/backend-core/src/redis/redlockImpl.ts
+++ b/packages/backend-core/src/redis/redlockImpl.ts
@ -3,6 +3,7 @@ import { getLockClient } from "./init"
 import { LockOptions, LockType } from "@budibase/types"
 import * as context from "../context"
 import env from "../environment"
+import { logWarn } from "../logging"

 async function getClient(
  type: LockType,
@ -116,7 +117,7 @@ export async function doWithLock<T>(
    const result = await task()
    return { executed: true, result }
  } catch (e: any) {
-    console.warn("lock error")
+    logWarn(`lock type: ${opts.type} error`, e)
    // lock limit exceeded
    if (e.name === "LockError") {
      if (opts.type === LockType.TRY_ONCE) {
@ -124,11 +125,9 @@ export async function doWithLock<T>(
        // due to retry count (0) exceeded
        return { executed: false }
      } else {
-        console.error(e)
        throw e
      }
    } else {
-      console.error(e)
      throw e
    }
  } finally {
--- a/packages/server/src/api/controllers/static/index.ts
+++ b/packages/server/src/api/controllers/static/index.ts
@ -1,4 +1,4 @@
-import { ValidFileExtensions } from "@budibase/shared-core"
+import { InvalidFileExtensions } from "@budibase/shared-core"

 require("svelte/register")

@ -86,7 +86,10 @@ export const uploadFile = async function (
        )
      }

-      if (!env.SELF_HOSTED && !ValidFileExtensions.includes(extension)) {
+      if (
+        !env.SELF_HOSTED &&
+        InvalidFileExtensions.includes(extension.toLowerCase())
+      ) {
        throw new BadRequestError(
          `File "${file.name}" has an invalid extension: "${extension}"`
        )
--- a/packages/server/src/api/routes/tests/attachment.spec.ts
+++ b/packages/server/src/api/routes/tests/attachment.spec.ts
@ -35,6 +35,17 @@ describe("/api/applications/:appId/sync", () => {
      })
    })

+    it("should reject an upload with a malicious uppercase file extension", async () => {
+      await config.withEnv({ SELF_HOSTED: undefined }, async () => {
+        let resp = (await config.api.attachment.process(
+          "OHNO.EXE",
+          Buffer.from([0]),
+          { expectStatus: 400 }
+        )) as unknown as APIError
+        expect(resp.message).toContain("invalid extension")
+      })
+    })
+
    it("should reject an upload with no file", async () => {
      let resp = (await config.api.attachment.process(
        undefined as any,
--- a/packages/shared-core/src/constants.ts
+++ b/packages/shared-core/src/constants.ts
@ -96,45 +96,61 @@ export enum BuilderSocketEvent {
 export const SocketSessionTTL = 60
 export const ValidQueryNameRegex = /^[^()]*$/
 export const ValidColumnNameRegex = /^[_a-zA-Z0-9\s]*$/g
-export const ValidFileExtensions = [
-  "avif",
-  "css",
-  "csv",
-  "docx",
-  "drawio",
-  "editorconfig",
-  "edl",
-  "enc",
-  "export",
-  "geojson",
-  "gif",
-  "htm",
-  "html",
-  "ics",
-  "iqy",
-  "jfif",
-  "jpeg",
-  "jpg",
-  "json",
-  "log",
-  "md",
-  "mid",
-  "odt",
-  "pdf",
-  "png",
-  "ris",
-  "rtf",
-  "svg",
-  "tex",
-  "toml",
-  "twig",
-  "txt",
-  "url",
-  "wav",
-  "webp",
-  "xls",
-  "xlsx",
-  "xml",
-  "yaml",
-  "yml",
+
+export const InvalidFileExtensions = [
+  "7z",
+  "action",
+  "apk",
+  "app",
+  "bat",
+  "bin",
+  "cab",
+  "cmd",
+  "com",
+  "command",
+  "cpl",
+  "csh",
+  "ex_",
+  "exe",
+  "gadget",
+  "inf1",
+  "ins",
+  "inx",
+  "ipa",
+  "isu",
+  "job",
+  "js",
+  "jse",
+  "ksh",
+  "lnk",
+  "msc",
+  "msi",
+  "msp",
+  "mst",
+  "osx",
+  "out",
+  "paf",
+  "php",
+  "pif",
+  "prg",
+  "ps1",
+  "reg",
+  "rgs",
+  "run",
+  "scr",
+  "sct",
+  "shb",
+  "shs",
+  "tar",
+  "u3p",
+  "vb",
+  "vbe",
+  "vbs",
+  "vbscript",
+  "wasm",
+  "workflow",
+  "ws",
+  "wsf",
+  "wsh",
+  "zip",
 ]