refactor: Add new Parse Server option fileUpload.fileExtensions to restrict file upload by file extension (#8539)

2023-05-21 01:31:52 +02:00
parent db4c214eac
commit a27482c57e
6 changed files with 209 additions and 25 deletions
--- a/src/Options/Definitions.js
+++ b/src/Options/Definitions.js
@@ -975,6 +975,13 @@ module.exports.FileUploadOptions = {
    action: parsers.booleanParser,
    default: false,
  },
+  fileExtensions: {
+    env: 'PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS',
+    help:
+      "Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.",
+    action: parsers.arrayParser,
+    default: ['^[^hH][^tT][^mM][^lL]?$'],
+  },
 };
 module.exports.DatabaseOptions = {
  enableSchemaHooks: {