Move from an allow list to a block list of file extensions.

This commit is contained in:
Sam Rose 2023-11-21 10:40:25 +00:00
parent 0d32ab77ae
commit b4cb97963c
No known key found for this signature in database
2 changed files with 56 additions and 43 deletions

View File

@ -1,4 +1,4 @@
import { ValidFileExtensions } from "@budibase/shared-core"
import { InvalidFileExtensions } from "@budibase/shared-core"
require("svelte/register")
@ -86,7 +86,10 @@ export const uploadFile = async function (
)
}
if (!env.SELF_HOSTED && !ValidFileExtensions.includes(extension)) {
if (
!env.SELF_HOSTED &&
InvalidFileExtensions.includes(extension.toLowerCase())
) {
throw new BadRequestError(
`File "${file.name}" has an invalid extension: "${extension}"`
)

View File

@ -96,45 +96,55 @@ export enum BuilderSocketEvent {
export const SocketSessionTTL = 60
export const ValidQueryNameRegex = /^[^()]*$/
export const ValidColumnNameRegex = /^[_a-zA-Z0-9\s]*$/g
export const ValidFileExtensions = [
"avif",
"css",
"csv",
"docx",
"drawio",
"editorconfig",
"edl",
"enc",
"export",
"geojson",
"gif",
"htm",
"html",
"ics",
"iqy",
"jfif",
"jpeg",
"jpg",
"json",
"log",
"md",
"mid",
"odt",
"pdf",
"png",
"ris",
"rtf",
"svg",
"tex",
"toml",
"twig",
"txt",
"url",
"wav",
"webp",
"xls",
"xlsx",
"xml",
"yaml",
"yml",
export const InvalidFileExtensions = [
"action",
"apk",
"app",
"bat",
"bin",
"cab",
"cmd",
"com",
"command",
"cpl",
"csh",
"ex_",
"exe",
"gadget",
"inf1",
"ins",
"inx",
"ipa",
"isu",
"job",
"jse",
"ksh",
"lnk",
"msc",
"msi",
"msp",
"mst",
"osx",
"out",
"paf",
"pif",
"prg",
"ps1",
"reg",
"rgs",
"run",
"scr",
"sct",
"shb",
"shs",
"u3p",
"vb",
"vbe",
"vbs",
"vbscript",
"workflow",
"ws",
"wsf",
"wsh",
]