feat: add parse server option fileUpload.fileTypes

Author: dblythy

spec/.eslintrc.json

@@ -34,7 +34,8 @@
       "jequal": true,
       "create": true,
       "arrayContains": true,
-      "databaseAdapter": true
+      "databaseAdapter": true,
+      "requestWithExpectedError": true
     },
     "rules": {
       "no-console": [0],

spec/ParseFile.spec.js

@@ -1109,6 +1109,150 @@ describe('Parse.File testing', () => {
           await expectAsync(reconfigureServer({ fileUpload: { [key]: value } })).toBeResolved();
         }
       }
+      await expectAsync(
+        reconfigureServer({
+          fileUpload: {
+            fileTypes: 1,
+          },
+        })
+      ).toBeRejectedWith('fileUpload.fileTypes must be an array or string.');
+    });
+  });
+  describe('fileTypes', () => {
+    it('works with _ContentType', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileTypes: '(^image)(/)[a-zA-Z0-9_]*',
+        },
+      });
+      await expectAsync(
+        requestWithExpectedError({
+          method: 'POST',
+          url: 'http://localhost:8378/1/files/file',
+          body: JSON.stringify({
+            _ApplicationId: 'test',
+            _JavaScriptKey: 'test',
+            _ContentType: 'text/html',
+            base64: 'PGh0bWw+PC9odG1sPgo=',
+          }),
+        })
+      ).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type text/html is disabled.`)
+      );
+    });
+
+    it('works without Content-Type', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileTypes: '(^image)(/)[a-zA-Z0-9_]*',
+        },
+      });
+      const headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      await expectAsync(
+        requestWithExpectedError({
+          method: 'POST',
+          headers: headers,
+          url: 'http://localhost:8378/1/files/file.html',
+          body: '<html></html>\n',
+        })
+      ).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type text/html is disabled.`)
+      );
+    });
+
+    it('works with array', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileTypes: ['image/jpg'],
+        },
+      });
+      await expectAsync(
+        requestWithExpectedError({
+          method: 'POST',
+          url: 'http://localhost:8378/1/files/file',
+          body: JSON.stringify({
+            _ApplicationId: 'test',
+            _JavaScriptKey: 'test',
+            _ContentType: 'text/html',
+            base64: 'PGh0bWw+PC9odG1sPgo=',
+          }),
+        })
+      ).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type text/html is disabled.`)
+      );
+    });
+
+    it('works with array without Content-Type', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileTypes: ['image/jpg'],
+        },
+      });
+      const headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      await expectAsync(
+        requestWithExpectedError({
+          method: 'POST',
+          headers: headers,
+          url: 'http://localhost:8378/1/files/file.html',
+          body: '<html></html>\n',
+        })
+      ).toBeRejectedWith(
+        new Parse.Error(Parse.Error.FILE_SAVE_ERROR, `File upload of type text/html is disabled.`)
+      );
+    });
+
+    it('works with array with correct file type', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileTypes: ['text/html'],
+        },
+      });
+      const response = await request({
+        method: 'POST',
+        url: 'http://localhost:8378/1/files/file',
+        body: JSON.stringify({
+          _ApplicationId: 'test',
+          _JavaScriptKey: 'test',
+          _ContentType: 'text/html',
+          base64: 'PGh0bWw+PC9odG1sPgo=',
+        }),
+      });
+      const b = response.data;
+      expect(b.name).toMatch(/_file.html$/);
+      expect(b.url).toMatch(/^http:\/\/localhost:8378\/1\/files\/test\/.*file.html$/);
+    });
+
+    it('works with regex with correct file type', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileTypes: '(^text)(/)[a-zA-Z0-9_]*',
+        },
+      });
+      const headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+      const response = await request({
+        method: 'POST',
+        headers: headers,
+        url: 'http://localhost:8378/1/files/file.html',
+        body: '<html></html>\n',
+      });
+      const b = response.data;
+      expect(b.name).toMatch(/_file.html$/);
+      expect(b.url).toMatch(/^http:\/\/localhost:8378\/1\/files\/test\/.*file.html$/);
     });
   });
 });

spec/helper.js

@@ -4,6 +4,7 @@ const semver = require('semver');
 const CurrentSpecReporter = require('./support/CurrentSpecReporter.js');
 const { SpecReporter } = require('jasmine-spec-reporter');
 const SchemaCache = require('../lib/Adapters/Cache/SchemaCache').default;
+const request = require('../lib/request');
 
 // Ensure localhost resolves to ipv4 address first on node v17+
 if (dns.setDefaultResultOrder) {
@@ -30,6 +31,13 @@ if (global._babelPolyfill) {
   console.error('We should not use polyfilled tests');
   process.exit(1);
 }
+global.requestWithExpectedError = async params => {
+  try {
+    return await request(params);
+  } catch (e) {
+    throw new Error(e.data.error);
+  }
+};
 process.noDeprecation = true;
 
 const cache = require('../lib/cache').default;

src/Config.js

@@ -421,6 +421,11 @@ export class Config {
     } else if (typeof fileUpload.enableForAuthenticatedUser !== 'boolean') {
       throw 'fileUpload.enableForAuthenticatedUser must be a boolean value.';
     }
+    if (fileUpload.fileTypes === undefined) {
+      fileUpload.fileTypes = FileUploadOptions.fileTypes.default;
+    } else if (typeof fileUpload.fileTypes !== 'string' && !Array.isArray(fileUpload.fileTypes)) {
+      throw 'fileUpload.fileTypes must be an array or string.';
+    }
   }
 
   static validateMasterKeyIps(masterKeyIps) {

src/Deprecator/Deprecations.js

@@ -24,4 +24,5 @@ module.exports = [
   },
   { optionKey: 'enforcePrivateUsers', changeNewDefault: 'true' },
   { optionKey: 'allowClientClassCreation', changeNewDefault: 'false' },
+  { optionKey: 'fileUpload.fileTypes', changeNewDefault: '^(.(?!.*html?))*$' },
 ];

src/Options/Definitions.js

@@ -866,6 +866,11 @@ module.exports.FileUploadOptions = {
     action: parsers.booleanParser,
     default: false,
   },
+  fileTypes: {
+    env: 'PARSE_SERVER_FILE_UPLOAD_FILE_TYPES',
+    help: 'If set, allowed content types of files',
+    default: '.*',
+  },
 };
 module.exports.DatabaseOptions = {
   enableSchemaHooks: {

src/Options/docs.js

@@ -202,6 +202,7 @@
  * @property {Boolean} enableForAnonymousUser Is true if file upload should be allowed for anonymous users.
  * @property {Boolean} enableForAuthenticatedUser Is true if file upload should be allowed for authenticated users.
  * @property {Boolean} enableForPublic Is true if file upload should be allowed for anyone, regardless of user authentication.
+ * @property {String} fileTypes If set, allowed content types of files
  */
 
 /**

src/Options/index.js

@@ -490,6 +490,9 @@ export interface PasswordPolicyOptions {
 }
 
 export interface FileUploadOptions {
+  /*  If set, allowed content types of files
+  :DEFAULT: .* */
+  fileTypes: ?string;
   /*  Is true if file upload should be allowed for anonymous users.
   :DEFAULT: false */
   enableForAnonymousUser: ?boolean;

src/Routers/FilesRouter.js

@@ -124,7 +124,7 @@ export class FilesRouter {
     }
     const filesController = config.filesController;
     const { filename } = req.params;
-    const contentType = req.get('Content-type');
+    const contentType = req.get('Content-type') || mime.getType(filename);
 
     if (!req.body || !req.body.length) {
       next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'Invalid file upload.'));
@@ -137,6 +137,25 @@ export class FilesRouter {
       return;
     }
 
+    const fileTypes = config.fileUpload && config.fileUpload.fileTypes;
+    if (!isMaster && fileTypes) {
+      try {
+        if (Array.isArray(fileTypes)) {
+          if (!fileTypes.includes(contentType)) {
+            throw `File upload of type ${contentType} is disabled.`;
+          }
+        } else if (typeof fileTypes === 'string') {
+          const regex = new RegExp(fileTypes);
+          if (!regex.test(contentType)) {
+            throw `File upload of type ${contentType} is disabled.`;
+          }
+        }
+      } catch (e) {
+        next(new Parse.Error(Parse.Error.FILE_SAVE_ERROR, e));
+        return;
+      }
+    }
+
     const base64 = req.body.toString('base64');
     const file = new Parse.File(filename, { base64 }, contentType);
     const { metadata = {}, tags = {} } = req.fileData || {};