Default fileExtension regex does not match plain files.

[dblythy]

New Issue Checklist

• I am not disclosing a vulnerability.
• I am not just asking a question.
• I have searched through existing issues.
• I can reproduce the issue with the latest version of Parse Server.

Issue Description

The current default fileExtension regex ("^[^hH][^tT][^mM][^lL]?$") does not match plain.

Steps to reproduce

1. Do not set fileExtension
2. Try to create file

Actual Outcome

Error

Expected Outcome

Should succeed

Environment

Server

• Parse Server version: FILL_THIS_OUT
• Operating system: FILL_THIS_OUT
• Local or remote host (AWS, Azure, Google Cloud, Heroku, Digital Ocean, etc): FILL_THIS_OUT

Database

• System (MongoDB or Postgres): FILL_THIS_OUT
• Database version: FILL_THIS_OUT
• Local or remote host (MongoDB Atlas, mLab, AWS, Azure, Google Cloud, etc): FILL_THIS_OUT

Client

• SDK (iOS, Android, JavaScript, PHP, Unity, etc): FILL_THIS_OUT
• SDK version: FILL_THIS_OUT

Logs

[parse-github-assistant]

Thanks for opening this issue!

• ❌ Please fill out all fields with a placeholder FILL_THIS_OUT, otherwise your issue will be closed. If a field does not apply to the issue, fill in n/a.

[dblythy]

Related: parse-community/Parse-SDK-JS#1979

[dblythy]

I think the default regex should instead be '^(?!html$|htm$).*'

[mtrezza]

From the web server point of view, the path component of a URI is case sensitive, so we cannot add the i flag to the regex. On the other hand modern web browsers handle file extensions case-insensitive (file.HTML, file.html, file.HtMl, etc. are all rendered as HTML).

So to truly prevent HTML content files we'd need to block any case-style without using the i flag, that's why we had the regex so far.

If we don't keep the current case insensitive regex style, then the regex could be simply ^(?!html?$). This requires only 4 steps for the regex engine, regardless of the extension string length. But that would allow uploading malicious.HTmL and browsers would likely render the HTML content.

If we want to keep the case insensitive style then we could use ^(?!(h|H)(t|T)(m|M)(l|L)?$), which should

• not match html, htm with any casing combination (e.g. html, HTML HtMl)
• match empty string '', i.e. no file extension
• match any other extension

Btw, the current file extension regex looks wrong anyway as it won't allow extensions shorter than 3 or longer than 4 chars.

[dblythy]

Is it possible that a file could be uploaded with the extension hTmL?

[mtrezza]

If the file extension regex is ["^(?!html?$)"] without the i flag, then yes, and a browser would render it. But we can't use the i flag, because we would limit developers who differentiate casing in the URI, technically index.HTML and index.html could be 2 different files. So we'd need ^(?!(h|H)(t|T)(m|M)(l|L)?$).

[parseplatformorg]

🎉 This change has been released in version 7.0.0-alpha.26

[parseplatformorg]

🎉 This change has been released in version 7.0.0-beta.1

[parseplatformorg]

🎉 This change has been released in version 7.0.0