Move from an allow list to a block list of file extensions.

packages/server/src/api/controllers/static/index.ts

@@ -1,4 +1,4 @@
-import { ValidFileExtensions } from "@budibase/shared-core"
+import { InvalidFileExtensions } from "@budibase/shared-core"
 
 require("svelte/register")
 
@@ -86,7 +86,10 @@ export const uploadFile = async function (
         )
       }
 
-      if (!env.SELF_HOSTED && !ValidFileExtensions.includes(extension)) {
+      if (
+        !env.SELF_HOSTED &&
+        InvalidFileExtensions.includes(extension.toLowerCase())
+      ) {
         throw new BadRequestError(
           `File "${file.name}" has an invalid extension: "${extension}"`
         )

packages/shared-core/src/constants.ts

@@ -96,45 +96,55 @@ export enum BuilderSocketEvent {
 export const SocketSessionTTL = 60
 export const ValidQueryNameRegex = /^[^()]*$/
 export const ValidColumnNameRegex = /^[_a-zA-Z0-9\s]*$/g
-export const ValidFileExtensions = [
+
-  "avif",
+export const InvalidFileExtensions = [
-  "css",
+  "action",
-  "csv",
+  "apk",
-  "docx",
+  "app",
-  "drawio",
+  "bat",
-  "editorconfig",
+  "bin",
-  "edl",
+  "cab",
-  "enc",
+  "cmd",
-  "export",
+  "com",
-  "geojson",
+  "command",
-  "gif",
+  "cpl",
-  "htm",
+  "csh",
-  "html",
+  "ex_",
-  "ics",
+  "exe",
-  "iqy",
+  "gadget",
-  "jfif",
+  "inf1",
-  "jpeg",
+  "ins",
-  "jpg",
+  "inx",
-  "json",
+  "ipa",
-  "log",
+  "isu",
-  "md",
+  "job",
-  "mid",
+  "jse",
-  "odt",
+  "ksh",
-  "pdf",
+  "lnk",
-  "png",
+  "msc",
-  "ris",
+  "msi",
-  "rtf",
+  "msp",
-  "svg",
+  "mst",
-  "tex",
+  "osx",
-  "toml",
+  "out",
-  "twig",
+  "paf",
-  "txt",
+  "pif",
-  "url",
+  "prg",
-  "wav",
+  "ps1",
-  "webp",
+  "reg",
-  "xls",
+  "rgs",
-  "xlsx",
+  "run",
-  "xml",
+  "scr",
-  "yaml",
+  "sct",
-  "yml",
+  "shb",
+  "shs",
+  "u3p",
+  "vb",
+  "vbe",
+  "vbs",
+  "vbscript",
+  "workflow",
+  "ws",
+  "wsf",
+  "wsh",
 ]