Simple Whitelist for File Extensions #122
Conversation
| // Filter extensions if whitelist available | ||
| var whitelist = self.server.options.allowedExtensions; | ||
| var accepted = true; | ||
| if (whitelist && typeof whitelist === 'object' && Array.isArray(whitelist) && whitelist.length) { |
There was a problem hiding this comment.
Array.isArray(whitelist) && whitelist.length should be sufficient, right?
There was a problem hiding this comment.
Actually, if it's an object and has a length, why check for array-ity?
| if (whitelist && typeof whitelist === 'object' && Array.isArray(whitelist) && whitelist.length) { | ||
| accepted = false; | ||
| whitelist.forEach(function (ext) { | ||
| if (fileto.endsWith(ext)) accepted = true; |
There was a problem hiding this comment.
Can you check what version of Node added support for endsWith since we want to make sure we don't break existing installations..
There was a problem hiding this comment.
We should allow RegExps too, or Cartesian product will explode for relatively simple stuff like /\.(html?|jpe?g|png|gif|p[pgx]m|txt)(\.((t?g|7)z|zip|tar(\.[g7]z|))|)$/. And that doesn't even yet include rules to allow some parts to be all-uppercase when using tar. ;-)
| whitelist.forEach(function (ext) { | ||
| if (filename.endsWith(ext)) accepted = true; | ||
| }); | ||
| } |
There was a problem hiding this comment.
Since we're repeating this whitelist checking logic, I think it would make sense to put it in a function so we can do: var accepted = checkWhitelist(self.server.options.allowedExtensions, filename);
There was a problem hiding this comment.
Also it should be have "extension" in its name because we might add other whitelists in the future.
In many cases, you want to limit the file extensions saved on the server to prevent executables or other formats from being uploaded.