Skip to content

Commit

Permalink
fix: Parse Server option fileExtensions default value rejects file …
Browse files Browse the repository at this point in the history
…extensions that are less than 3 or more than 4 characters long (#8699)
  • Loading branch information
dblythy authored Mar 10, 2024
1 parent 3fbd926 commit 2760381
Show file tree
Hide file tree
Showing 4 changed files with 17 additions and 5 deletions.
12 changes: 12 additions & 0 deletions spec/ParseFile.spec.js
Original file line number Diff line number Diff line change
Expand Up @@ -1364,6 +1364,18 @@ describe('Parse.File testing', () => {
);
});

it('default should allow common types', async () => {
await reconfigureServer({
fileUpload: {
enableForPublic: true,
},
});
for (const type of ['plain', 'txt', 'png', 'jpg', 'gif', 'doc']) {
const file = new Parse.File(`parse-server-logo.${type}`, { base64: 'ParseA==' });
await file.save();
}
});

it('works with a period in the file name', async () => {
await reconfigureServer({
fileUpload: {
Expand Down
4 changes: 2 additions & 2 deletions src/Options/Definitions.js
Original file line number Diff line number Diff line change
Expand Up @@ -1022,9 +1022,9 @@ module.exports.FileUploadOptions = {
fileExtensions: {
env: 'PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS',
help:
"Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.",
"Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^(?!(h|H)(t|T)(m|M)(l|L)?$)` which allows any file extension except HTML files.",
action: parsers.arrayParser,
default: ['^[^hH][^tT][^mM][^lL]?$'],
default: ['^(?!(h|H)(t|T)(m|M)(l|L)?$)'],
},
};
module.exports.DatabaseOptions = {
Expand Down
2 changes: 1 addition & 1 deletion src/Options/docs.js

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions src/Options/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -576,8 +576,8 @@ export interface PasswordPolicyOptions {
}

export interface FileUploadOptions {
/* Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.
:DEFAULT: ["^[^hH][^tT][^mM][^lL]?$"] */
/* Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern.<br><br>It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage.<br><br>Defaults to `^(?!(h|H)(t|T)(m|M)(l|L)?$)` which allows any file extension except HTML files.
:DEFAULT: ["^(?!(h|H)(t|T)(m|M)(l|L)?$)"] */
fileExtensions: ?(string[]);
/* Is true if file upload should be allowed for anonymous users.
:DEFAULT: false */
Expand Down

0 comments on commit 2760381

Please sign in to comment.