wip

Author: dblythy

package-lock.json

@@ -41,7 +41,7 @@ describe('Parse.File testing', () => {
       await reconfigureServer({
         fileUpload: {
           enableForPublic: true,
-          fileExtensions: '*',
+          fileExtensions: ['*'],
         },
       });
       let response = await request({
@@ -358,7 +358,7 @@ describe('Parse.File testing', () => {
       await reconfigureServer({
         fileUpload: {
           enableForPublic: true,
-          fileExtensions: '*',
+          fileExtensions: ['*'],
         },
       });
       const headers = {
@@ -1310,7 +1310,7 @@ describe('Parse.File testing', () => {
             fileExtensions: 1,
           },
         })
-      ).toBeRejectedWith('fileUpload.fileExtensions must be an array or string.');
+      ).toBeRejectedWith('fileUpload.fileExtensions must be an array.');
     });
   });
   describe('fileExtensions', () => {

spec/ParseFile.spec.js

@@ -438,11 +438,8 @@ export class Config {
     }
     if (fileUpload.fileExtensions === undefined) {
       fileUpload.fileExtensions = FileUploadOptions.fileExtensions.default;
-    } else if (
-      !Array.isArray(fileUpload.fileExtensions) &&
-      typeof fileUpload.fileExtensions !== 'string'
-    ) {
-      throw 'fileUpload.fileExtensions must be an array or string.';
+    } else if (!Array.isArray(fileUpload.fileExtensions)) {
+      throw 'fileUpload.fileExtensions must be an array.';
     }
   }
 

src/Config.js

@@ -4,6 +4,7 @@ This code has been generated by resources/buildConfigDefinitions.js
 Do not edit manually, but update Options/index.js
 */
 var parsers = require('./parsers');
+
 module.exports.SchemaOptions = {
   afterMigration: {
     env: 'PARSE_SERVER_SCHEMA_AFTER_MIGRATION',
@@ -886,7 +887,8 @@ module.exports.FileUploadOptions = {
     env: 'PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS',
     help:
       "Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.",
-    default: '^[^hH][^tT][^mM][^lL]?$',
+    action: parsers.arrayParser,
+    default: ['^[^hH][^tT][^mM][^lL]?$'],
   },
 };
 module.exports.DatabaseOptions = {

src/Options/Definitions.js

@@ -204,7 +204,7 @@
  * @property {Boolean} enableForAnonymousUser Is true if file upload should be allowed for anonymous users.
  * @property {Boolean} enableForAuthenticatedUser Is true if file upload should be allowed for authenticated users.
  * @property {Boolean} enableForPublic Is true if file upload should be allowed for anyone, regardless of user authentication.
- * @property {String} fileExtensions Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.
+ * @property {String[]} fileExtensions Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.
  */
 
 /**

src/Options/docs.js

@@ -498,8 +498,8 @@ export interface PasswordPolicyOptions {
 
 export interface FileUploadOptions {
   /* Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.
-  :DEFAULT: ^[^hH][^tT][^mM][^lL]?$ */
-  fileExtensions: ?string;
+  :DEFAULT: ["^[^hH][^tT][^mM][^lL]?$"] */
+  fileExtensions: ?(string[]);
   /*  Is true if file upload should be allowed for anonymous users.
   :DEFAULT: false */
   enableForAnonymousUser: ?boolean;

src/Options/index.js

@@ -141,19 +141,15 @@ export class FilesRouter {
     const fileExtensions = config.fileUpload?.fileExtensions;
     if (!isMaster && fileExtensions) {
       const isValidExtension = extension => {
-        if (fileExtensions === '*') {
-          return true;
-        }
-        if (Array.isArray(fileExtensions)) {
-          if (fileExtensions.includes(extension)) {
+        return fileExtensions.some(ext => {
+          if (ext === '*') {
             return true;
           }
-        } else {
           const regex = new RegExp(fileExtensions);
           if (regex.test(extension)) {
             return true;
           }
-        }
+        });
       };
       let extension = filename.includes('.') ? filename.split('.')[1] : contentType.split('/')[1];
       extension = extension.split(' ').join('');