Merge branch 'master' into chore/lint_imports

packages/backend-core/src/redis/redlockImpl.ts

@@ -3,6 +3,7 @@ import { getLockClient } from "./init"
 import { LockOptions, LockType } from "@budibase/types"
 import * as context from "../context"
 import env from "../environment"
+import { logWarn } from "../logging"
 
 async function getClient(
   type: LockType,
@@ -116,7 +117,7 @@ export async function doWithLock<T>(
     const result = await task()
     return { executed: true, result }
   } catch (e: any) {
-    console.warn("lock error")
+    logWarn(`lock type: ${opts.type} error`, e)
     // lock limit exceeded
     if (e.name === "LockError") {
       if (opts.type === LockType.TRY_ONCE) {
@@ -124,11 +125,9 @@ export async function doWithLock<T>(
         // due to retry count (0) exceeded
         return { executed: false }
       } else {
-        console.error(e)
         throw e
       }
     } else {
-      console.error(e)
       throw e
     }
   } finally {

packages/server/src/api/controllers/static/index.ts

@@ -1,4 +1,4 @@
-import { ValidFileExtensions } from "@budibase/shared-core"
+import { InvalidFileExtensions } from "@budibase/shared-core"
 
 require("svelte/register")
 
@@ -86,7 +86,10 @@ export const uploadFile = async function (
         )
       }
 
-      if (!env.SELF_HOSTED && !ValidFileExtensions.includes(extension)) {
+      if (
+        !env.SELF_HOSTED &&
+        InvalidFileExtensions.includes(extension.toLowerCase())
+      ) {
         throw new BadRequestError(
           `File "${file.name}" has an invalid extension: "${extension}"`
         )

packages/server/src/api/routes/tests/attachment.spec.ts

@@ -35,6 +35,17 @@ describe("/api/applications/:appId/sync", () => {
       })
     })
 
+    it("should reject an upload with a malicious uppercase file extension", async () => {
+      await config.withEnv({ SELF_HOSTED: undefined }, async () => {
+        let resp = (await config.api.attachment.process(
+          "OHNO.EXE",
+          Buffer.from([0]),
+          { expectStatus: 400 }
+        )) as unknown as APIError
+        expect(resp.message).toContain("invalid extension")
+      })
+    })
+
     it("should reject an upload with no file", async () => {
       let resp = (await config.api.attachment.process(
         undefined as any,

packages/shared-core/src/constants.ts

@@ -96,45 +96,61 @@ export enum BuilderSocketEvent {
 export const SocketSessionTTL = 60
 export const ValidQueryNameRegex = /^[^()]*$/
 export const ValidColumnNameRegex = /^[_a-zA-Z0-9\s]*$/g
-export const ValidFileExtensions = [
+
-  "avif",
+export const InvalidFileExtensions = [
-  "css",
+  "7z",
-  "csv",
+  "action",
-  "docx",
+  "apk",
-  "drawio",
+  "app",
-  "editorconfig",
+  "bat",
-  "edl",
+  "bin",
-  "enc",
+  "cab",
-  "export",
+  "cmd",
-  "geojson",
+  "com",
-  "gif",
+  "command",
-  "htm",
+  "cpl",
-  "html",
+  "csh",
-  "ics",
+  "ex_",
-  "iqy",
+  "exe",
-  "jfif",
+  "gadget",
-  "jpeg",
+  "inf1",
-  "jpg",
+  "ins",
-  "json",
+  "inx",
-  "log",
+  "ipa",
-  "md",
+  "isu",
-  "mid",
+  "job",
-  "odt",
+  "js",
-  "pdf",
+  "jse",
-  "png",
+  "ksh",
-  "ris",
+  "lnk",
-  "rtf",
+  "msc",
-  "svg",
+  "msi",
-  "tex",
+  "msp",
-  "toml",
+  "mst",
-  "twig",
+  "osx",
-  "txt",
+  "out",
-  "url",
+  "paf",
-  "wav",
+  "php",
-  "webp",
+  "pif",
-  "xls",
+  "prg",
-  "xlsx",
+  "ps1",
-  "xml",
+  "reg",
-  "yaml",
+  "rgs",
-  "yml",
+  "run",
+  "scr",
+  "sct",
+  "shb",
+  "shs",
+  "tar",
+  "u3p",
+  "vb",
+  "vbe",
+  "vbs",
+  "vbscript",
+  "wasm",
+  "workflow",
+  "ws",
+  "wsf",
+  "wsh",
+  "zip",
 ]