add file ext

Author: dblythy

spec/ParseFile.spec.js

@@ -37,8 +37,14 @@ describe('Parse.File testing', () => {
       });
     });
 
-    it('works with _ContentType', done => {
-      request({
+    it('works with _ContentType', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileExtensions: '*',
+        },
+      });
+      let response = await request({
         method: 'POST',
         url: 'http://localhost:8378/1/files/file',
         body: JSON.stringify({
@@ -47,21 +53,18 @@ describe('Parse.File testing', () => {
           _ContentType: 'text/html',
           base64: 'PGh0bWw+PC9odG1sPgo=',
         }),
-      }).then(response => {
-        const b = response.data;
-        expect(b.name).toMatch(/_file.html/);
-        expect(b.url).toMatch(/^http:\/\/localhost:8378\/1\/files\/test\/.*file.html$/);
-        request({ url: b.url }).then(response => {
-          const body = response.text;
-          try {
-            expect(response.headers['content-type']).toMatch('^text/html');
-            expect(body).toEqual('<html></html>\n');
-          } catch (e) {
-            jfail(e);
-          }
-          done();
-        });
       });
+      const b = response.data;
+      expect(b.name).toMatch(/_file.html/);
+      expect(b.url).toMatch(/^http:\/\/localhost:8378\/1\/files\/test\/.*file.html$/);
+      response = await request({ url: b.url });
+      const body = response.text;
+      try {
+        expect(response.headers['content-type']).toMatch('^text/html');
+        expect(body).toEqual('<html></html>\n');
+      } catch (e) {
+        jfail(e);
+      }
     });
 
     it('works without Content-Type', done => {
@@ -351,25 +354,28 @@ describe('Parse.File testing', () => {
       ok(object.toJSON().file.url);
     });
 
-    it('content-type used with no extension', done => {
+    it('content-type used with no extension', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileExtensions: '*',
+        },
+      });
       const headers = {
         'Content-Type': 'text/html',
         'X-Parse-Application-Id': 'test',
         'X-Parse-REST-API-Key': 'rest',
       };
-      request({
+      let response = await request({
         method: 'POST',
         headers: headers,
         url: 'http://localhost:8378/1/files/file',
         body: 'fee fi fo',
-      }).then(response => {
-        const b = response.data;
-        expect(b.name).toMatch(/\.html$/);
-        request({ url: b.url }).then(response => {
-          expect(response.headers['content-type']).toMatch(/^text\/html/);
-          done();
-        });
       });
+      const b = response.data;
+      expect(b.name).toMatch(/\.html$/);
+      response = await request({ url: b.url });
+      expect(response.headers['content-type']).toMatch(/^text\/html/);
     });
 
     it('filename is url encoded', done => {
@@ -1304,12 +1310,13 @@ describe('Parse.File testing', () => {
             fileExtensions: 1,
           },
         })
-      ).toBeRejectedWith('fileUpload.fileExtensions must be an array.');
+      ).toBeRejectedWith('fileUpload.fileExtensions must be an array or string.');
     });
   });
   describe('fileExtensions', () => {
     it('works with _ContentType', async () => {
       await reconfigureServer({
+        silent: false,
         fileUpload: {
           enableForPublic: true,
           fileExtensions: ['png'],
@@ -1329,7 +1336,7 @@ describe('Parse.File testing', () => {
           throw new Error(e.data.error);
         })
       ).toBeRejectedWith(
-        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type html is disabled.`)
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of extension html is disabled.`)
       );
     });
 
@@ -1353,7 +1360,7 @@ describe('Parse.File testing', () => {
           throw new Error(e.data.error);
         })
       ).toBeRejectedWith(
-        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type html is disabled.`)
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of extension html is disabled.`)
       );
     });
 
@@ -1378,7 +1385,7 @@ describe('Parse.File testing', () => {
           throw new Error(e.data.error);
         })
       ).toBeRejectedWith(
-        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type html is disabled.`)
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of extension html is disabled.`)
       );
     });
 
@@ -1403,7 +1410,7 @@ describe('Parse.File testing', () => {
           throw new Error(e.data.error);
         })
       ).toBeRejectedWith(
-        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type html is disabled.`)
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of extension html is disabled.`)
       );
     });
 

spec/helper.js

@@ -110,7 +110,6 @@ const defaultConfiguration = {
     enableForPublic: true,
     enableForAnonymousUser: true,
     enableForAuthenticatedUser: true,
-    fileExtensions: ['*']
   },
   push: {
     android: {

src/Config.js

@@ -426,8 +426,11 @@ export class Config {
     }
     if (fileUpload.fileExtensions === undefined) {
       fileUpload.fileExtensions = FileUploadOptions.fileExtensions.default;
-    } else if (!Array.isArray(fileUpload.fileExtensions)) {
-      throw 'fileUpload.fileExtensions must be an array.';
+    } else if (
+      !Array.isArray(fileUpload.fileExtensions) &&
+      typeof fileUpload.fileExtensions !== 'string'
+    ) {
+      throw 'fileUpload.fileExtensions must be an array or string.';
     }
   }
 

src/Options/Definitions.js

@@ -875,9 +875,9 @@ module.exports.FileUploadOptions = {
   },
   fileExtensions: {
     env: 'PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS',
-    help: 'Allowed content types of files',
-    action: parsers.arrayParser,
-    default: [],
+    help:
+      "Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.",
+    default: '^[^hH][^tT][^mM][^lL]?$',
   },
 };
 module.exports.DatabaseOptions = {

src/Options/docs.js

@@ -203,7 +203,7 @@
  * @property {Boolean} enableForAnonymousUser Is true if file upload should be allowed for anonymous users.
  * @property {Boolean} enableForAuthenticatedUser Is true if file upload should be allowed for authenticated users.
  * @property {Boolean} enableForPublic Is true if file upload should be allowed for anyone, regardless of user authentication.
- * @property {String[]} fileExtensions Allowed content types of files
+ * @property {String} fileExtensions Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.
  */
 
 /**

src/Options/index.js

@@ -493,9 +493,9 @@ export interface PasswordPolicyOptions {
 }
 
 export interface FileUploadOptions {
-  /* Allowed content types of files
-  :DEFAULT: [] */
-  fileExtensions: ?(string[]);
+  /* Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.
+  :DEFAULT: ^[^hH][^tT][^mM][^lL]?$ */
+  fileExtensions: ?string;
   /*  Is true if file upload should be allowed for anonymous users.
   :DEFAULT: false */
   enableForAnonymousUser: ?boolean;

src/Routers/FilesRouter.js

@@ -138,17 +138,32 @@ export class FilesRouter {
       return;
     }
 
-    const fileExtensions = config.fileUpload && config.fileUpload.fileExtensions;
-    if (!isMaster && fileExtensions && !fileExtensions.includes('*')) {
-      try {
-        const extension = filename.includes('.')
-          ? filename.split('.')[1]
-          : contentType.split('/')[1];
-        if (!fileExtensions.includes(extension)) {
-          throw `File upload of type ${extension} is disabled.`;
+    const fileExtensions = config.fileUpload?.fileExtensions;
+    if (!isMaster && fileExtensions) {
+      const isValidExtension = extension => {
+        if (fileExtensions === '*') {
+          return true;
+        }
+        if (Array.isArray(fileExtensions)) {
+          if (fileExtensions.includes(extension)) {
+            return true;
+          }
+        } else {
+          const regex = new RegExp(fileExtensions);
+          if (regex.test(extension)) {
+            return true;
+          }
         }
-      } catch (e) {
-        next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, e));
+      };
+      let extension = filename.includes('.') ? filename.split('.')[1] : contentType.split('/')[1];
+      extension = extension.split(' ').join('');
+      if (!isValidExtension(extension)) {
+        next(
+          new Parse.Error(
+            Parse.Error.FILE_SAVE_ERROR,
+            `File upload of extension ${extension} is disabled.`
+          )
+        );
         return;
       }
     }