From b4cb97963c60a857c58e195ef47d43d668102af6 Mon Sep 17 00:00:00 2001 From: Sam Rose Date: Tue, 21 Nov 2023 10:40:25 +0000 Subject: [PATCH] Move from an allow list to a block list of file extensions. --- .../src/api/controllers/static/index.ts | 7 +- packages/shared-core/src/constants.ts | 92 ++++++++++--------- 2 files changed, 56 insertions(+), 43 deletions(-) diff --git a/packages/server/src/api/controllers/static/index.ts b/packages/server/src/api/controllers/static/index.ts index 544bde1fbb..4c5415a6c6 100644 --- a/packages/server/src/api/controllers/static/index.ts +++ b/packages/server/src/api/controllers/static/index.ts @@ -1,4 +1,4 @@ -import { ValidFileExtensions } from "@budibase/shared-core" +import { InvalidFileExtensions } from "@budibase/shared-core" require("svelte/register") @@ -86,7 +86,10 @@ export const uploadFile = async function ( ) } - if (!env.SELF_HOSTED && !ValidFileExtensions.includes(extension)) { + if ( + !env.SELF_HOSTED && + InvalidFileExtensions.includes(extension.toLowerCase()) + ) { throw new BadRequestError( `File "${file.name}" has an invalid extension: "${extension}"` ) diff --git a/packages/shared-core/src/constants.ts b/packages/shared-core/src/constants.ts index e7c6feb20a..5b50d0eb3b 100644 --- a/packages/shared-core/src/constants.ts +++ b/packages/shared-core/src/constants.ts @@ -96,45 +96,55 @@ export enum BuilderSocketEvent { export const SocketSessionTTL = 60 export const ValidQueryNameRegex = /^[^()]*$/ export const ValidColumnNameRegex = /^[_a-zA-Z0-9\s]*$/g -export const ValidFileExtensions = [ - "avif", - "css", - "csv", - "docx", - "drawio", - "editorconfig", - "edl", - "enc", - "export", - "geojson", - "gif", - "htm", - "html", - "ics", - "iqy", - "jfif", - "jpeg", - "jpg", - "json", - "log", - "md", - "mid", - "odt", - "pdf", - "png", - "ris", - "rtf", - "svg", - "tex", - "toml", - "twig", - "txt", - "url", - "wav", - "webp", - "xls", - "xlsx", - "xml", - "yaml", - "yml", + +export const InvalidFileExtensions = [ + "action", + "apk", + "app", + "bat", + "bin", + "cab", + "cmd", + "com", + "command", + "cpl", + "csh", + "ex_", + "exe", + "gadget", + "inf1", + "ins", + "inx", + "ipa", + "isu", + "job", + "jse", + "ksh", + "lnk", + "msc", + "msi", + "msp", + "mst", + "osx", + "out", + "paf", + "pif", + "prg", + "ps1", + "reg", + "rgs", + "run", + "scr", + "sct", + "shb", + "shs", + "u3p", + "vb", + "vbe", + "vbs", + "vbscript", + "workflow", + "ws", + "wsf", + "wsh", ]