feat: Add file upload restrictions (#85)

* feat: Add file upload restrictions

* Update app.json

app.json

@@ -109,6 +109,10 @@
         "description": "Is true if file upload should be allowed for authenticated users.",
         "value": "true"
       },
+      "PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS": {
+        "description": "Sets the allowed file extensions for uploading files. The extension is defined as an array of file extensions, or a regex pattern. It is recommended to restrict the file upload extensions as much as possible. HTML files are especially problematic as they may be used by an attacker who uploads a HTML form to look legitimate under your app's domain name, or to compromise the session token of another user via accessing the browser's local storage. Defaults to `^[^hH][^tT][^mM][^lL]?$` which allows any file extension except HTML files.",
+        "value": "^[^hH][^tT][^mM][^lL]?$"
+      },
       "PARSE_SERVER_MAX_UPLOAD_SIZE": {
         "description": "Max file size for uploads, defaults to 20mb.",
         "value": "20mb"

parse/index.js

@@ -134,6 +134,12 @@ if (process.env.PARSE_SERVER_FILE_UPLOAD_ENABLE_FOR_AUTHENTICATED_USER == 'false
   fileUploadAuthenticated = false
 }
 
+let fileExtensions = '^[^hH][^tT][^mM][^lL]?$';
+if ("PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS" in process.env) {
+  const extensions = process.env.PARSE_SERVER_FILE_UPLOAD_FILE_EXTENSIONS.split(", ");
+  fileExtensions = extensions;
+}
+
 let enableAnonymousUsers = true;
 if (process.env.PARSE_SERVER_ENABLE_ANON_USERS == 'false') {
   enableAnonymousUsers = false
@@ -276,6 +282,7 @@ configuration = {
     enableForPublic: fileUploadPublic,
     enableForAnonymousUser: fileUploadAnonymous,
     enableForAuthenticatedUser: fileUploadAuthenticated,
+    fileExtensions: fileExtensions,
   },
   maxUploadSize: fileMaxUploadSize,
   enableSchemaHooks: enableSchemaHooks,