Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CHAT-1471] Allowed/blocked file extensions and content types #582

Merged
merged 11 commits into from
Jan 25, 2021
Merged

[CHAT-1471] Allowed/blocked file extensions and content types #582

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
1c611dc
add tests for file extension and mime configs
miagilepner Jan 12, 2021
adccaf3
Merge branch 'master' into feat/CHAT-1471-app-config-upload-types
miagilepner Jan 12, 2021
bbda110
Update helloworld.md
miagilepner Jan 12, 2021
96a8666
Merge branch 'master' into feat/CHAT-1471-app-config-upload-types
miagilepner Jan 12, 2021
a7f20d3
remove empty file
miagilepner Jan 12, 2021
99feee5
Merge remote-tracking branch 'origin/master' into feat/CHAT-1471-app-…
miagilepner Jan 15, 2021
c24e893
Merge branch 'master' into feat/CHAT-1471-app-config-upload-types
miagilepner Jan 18, 2021
d73d7ae
Merge branch 'master' into feat/CHAT-1471-app-config-upload-types
miagilepner Jan 19, 2021
42a0e8d
Merge branch 'master' into feat/CHAT-1471-app-config-upload-types
vishalnarkhede Jan 20, 2021
5190d7b
Merge remote-tracking branch 'origin/master' into feat/CHAT-1471-app-…
miagilepner Jan 22, 2021
a6c7f4b
use FileUploadConfig type
miagilepner Jan 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions helloworld.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# Hello World!
miagilepner marked this conversation as resolved.
Show resolved Hide resolved
21 changes: 21 additions & 0 deletions src/types.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,9 @@ export type AppSettingsAPIResponse<
disable_auth_checks?: boolean;
disable_permissions_checks?: boolean;
enforce_unique_usernames?: string;
file_upload_config?: FileUploadConfig;
image_moderation_enabled?: boolean;
image_upload_config?: FileUploadConfig;
multi_tenant_enabled?: boolean;
name?: string;
organization?: string;
Expand Down Expand Up @@ -1251,12 +1253,24 @@ export type AppSettings = {
disable_auth_checks?: boolean;
disable_permissions_checks?: boolean;
enforce_unique_usernames?: 'no' | 'app' | 'team';
file_upload_config?: {
allowed_file_extensions?: string[];
allowed_mime_types?: string[];
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just to confirm, do we have some exhaustive list of all these types/extensions? @miagilepner

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't. We could make an exhaustive list (e.g. for the media types the full list is here: https://www.iana.org/assignments/media-types/media-types.xhtml) and do validation, if you think this should be prioritized.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessary tbh. If backend is prepared to handle any wierd type ... then its totally fine!!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's put a comment in here with the link to the accepted types

blocked_file_extensions?: string[];
blocked_mime_types?: string[];
};
firebase_config?: {
credentials_json: string;
data_template?: string;
notification_template?: string;
server_key?: string;
};
image_upload_config?: {
allowed_file_extensions?: string[];
allowed_mime_types?: string[];
blocked_file_extensions?: string[];
blocked_mime_types?: string[];
};
push_config?: {
version?: string;
};
Expand Down Expand Up @@ -1434,6 +1448,13 @@ export type Field = {
value?: string;
};

export type FileUploadConfig = {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why don't we use this type above ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

was following the way that it's done for other objects, which repeat fields rather than using the type.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any example for a reference ?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, you're right. I thought firebase_config and apn_config did this, but I see now they have slightly different fields in AppSettings. I'll fix that.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, they are different slightly but here is exactly same. Thanks for updating.

allowed_file_extensions?: string[];
allowed_mime_types?: string[];
blocked_file_extensions?: string[];
blocked_mime_types?: string[];
};

export type FirebaseConfig = {
credentials_json?: string;
data_template?: string;
Expand Down
323 changes: 323 additions & 0 deletions test/integration/uploads.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,323 @@
import chai from 'chai';
import chaiAsPromised from 'chai-as-promised';
import fs from 'fs';
import { expectHTTPErrorCode, getServerTestClient, getTestClientForUser } from './utils';
import { v4 as uuidv4 } from 'uuid';

const expect = chai.expect;

chai.use(chaiAsPromised);

if (process.env.NODE_ENV !== 'production') {
require('longjohn');
}

const Promise = require('bluebird');
Promise.config({
longStackTraces: true,
warnings: {
wForgottenReturn: false,
},
});

describe('Uploads', () => {
const serverClient = getServerTestClient();
const channelType = uuidv4();
let client;
let channel;

before(async () => {
client = await getTestClientForUser(uuidv4());
await serverClient.createChannelType({
name: channelType,
commands: ['all'],
uploads: true,
});
channel = client.channel(channelType, uuidv4());
await channel.watch();
});
afterEach(async () => {
await serverClient.updateAppSettings({
file_upload_config: {
allowed_file_extensions: [],
blocked_file_extensions: [],
allowed_mime_types: [],
blocked_mime_types: [],
},
image_upload_config: {
allowed_file_extensions: [],
blocked_file_extensions: [],
allowed_mime_types: [],
blocked_mime_types: [],
},
});
});
describe('File Extension Restrictions', () => {
it('set file extension allowlist and blocklist', async () => {
await expectHTTPErrorCode(
400,
serverClient.updateAppSettings({
file_upload_config: {
allowed_file_extensions: ['.txt', '.csv'],
blocked_file_extensions: ['.json'],
},
}),
`StreamChat error code 4: UpdateApp failed with error: "Cannot specify both allowed file extensions and blocked file extensions"`,
);
});
it('set image file extension allowlist and blocklist', async () => {
await expectHTTPErrorCode(
400,
serverClient.updateAppSettings({
image_upload_config: {
allowed_file_extensions: ['.jpg', '.png'],
blocked_file_extensions: ['.heic'],
},
}),
`StreamChat error code 4: UpdateApp failed with error: "Cannot specify both allowed file extensions and blocked file extensions"`,
);
});
it('upload a file with extension on allowlist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
allowed_file_extensions: ['.txt', '.csv'],
},
});
const file = fs.createReadStream('helloworld.txt');
const response = await channel.sendFile(file, 'helloworld.txt', 'text/plain');
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload an image with extension on allowlist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
allowed_file_extensions: ['.jpg', '.png'],
},
});
const file = fs.createReadStream('helloworld.jpg');
const response = await channel.sendImage(
file,
'helloworld.jpg',
'image/jpeg',
);
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload a file with extension not on blocklist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
blocked_file_extensions: ['.pdf'],
},
});
const file = fs.createReadStream('helloworld.txt');
const response = await channel.sendFile(file, 'helloworld.txt', 'text/plain');
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload an image with extension not on blocklist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
blocked_file_extensions: ['.heic'],
},
});
const file = fs.createReadStream('helloworld.jpg');
const response = await channel.sendImage(
file,
'helloworld.jpg',
'image/jpeg',
);
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload a file with extension not on allowlist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
allowed_file_extensions: ['.txt', '.csv'],
},
});
const file = fs.createReadStream('helloworld.md');
await expectHTTPErrorCode(
400,
channel.sendFile(file, 'helloworld.md', 'text/markdown'),
`StreamChat error code 4: UploadFile failed with error: "File extension .md is not supported"`,
);
});
it('upload an image with extension not on allowlist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
allowed_file_extensions: ['.jpeg'],
},
});
const file = fs.createReadStream('helloworld.heic');
await expectHTTPErrorCode(
400,
channel.sendImage(file, 'helloworld.heic', 'image/heic'),
`StreamChat error code 4: UploadImage failed with error: "File extension .heic is not supported"`,
);
});
it('upload a file with extension on blocklist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
blocked_file_extensions: ['.md'],
},
});
const file = fs.createReadStream('helloworld.md');
await expectHTTPErrorCode(
400,
channel.sendFile(file, 'helloworld.md', 'text/markdown'),
`StreamChat error code 4: UploadFile failed with error: "File extension .md is not supported"`,
);
});
it('upload an image with extension on blocklist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
blocked_file_extensions: ['.heic'],
},
});
const file = fs.createReadStream('helloworld.heic');
await expectHTTPErrorCode(
400,
channel.sendImage(file, 'helloworld.heic', 'image/heic'),
`StreamChat error code 4: UploadImage failed with error: "File extension .heic is not supported"`,
);
});
});
describe('Content Type Restrictions', () => {
it('set content type allowlist and blocklist', async () => {
await expectHTTPErrorCode(
400,
serverClient.updateAppSettings({
file_upload_config: {
allowed_mime_types: ['text/plain', 'text/csv'],
blocked_mime_types: ['application/json'],
},
}),
`StreamChat error code 4: UpdateApp failed with error: "Cannot specify both allowed mime types and blocked mime types"`,
);
});
it('set image mime type allowlist and blocklist', async () => {
await expectHTTPErrorCode(
400,
serverClient.updateAppSettings({
image_upload_config: {
allowed_mime_types: ['text/plain', 'text/csv'],
blocked_mime_types: ['application/json'],
},
}),
`StreamChat error code 4: UpdateApp failed with error: "Cannot specify both allowed mime types and blocked mime types"`,
);
});
it('upload a file with mime type on allowlist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
allowed_mime_types: ['text/plain', 'text/csv'],
},
});
const file = fs.createReadStream('helloworld.txt');
const response = await channel.sendFile(file, 'helloworld.txt', 'text/plain');
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload an image with mime type on allowlist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
allowed_mime_types: ['image/jpeg'],
},
});
const file = fs.createReadStream('helloworld.jpg');
const response = await channel.sendImage(
file,
'helloworld.jpg',
'image/jpeg',
);
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload a file with mime type not on blocklist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
blocked_mime_types: ['application/json'],
},
});
const file = fs.createReadStream('helloworld.txt');
const response = await channel.sendFile(file, 'helloworld.txt', 'text/plain');
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload an image with mime type not on blocklist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
blocked_mime_types: ['image/heic'],
},
});
const file = fs.createReadStream('helloworld.jpg');
const response = await channel.sendImage(
file,
'helloworld.jpg',
'image/jpeg',
);
expect(response.file).to.be.an('string');
expect(response.file).to.be.not.undefined;
expect(response.file).to.be.not.eq('');
});
it('upload a file with mime type not on allowlist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
allowed_mime_types: ['text/plain', 'text/csv'],
},
});
const file = fs.createReadStream('helloworld.md');
await expectHTTPErrorCode(
400,
channel.sendFile(file, 'helloworld.md', 'text/markdown'),
`StreamChat error code 4: UploadFile failed with error: "File type text/markdown is not supported"`,
);
});
it('upload an image with mime type not on allowlist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
allowed_mime_types: ['image/jpeg'],
},
});
const file = fs.createReadStream('helloworld.heic');
await expectHTTPErrorCode(
400,
channel.sendImage(file, 'helloworld.heic', 'image/heic'),
`StreamChat error code 4: UploadImage failed with error: "File type image/heic is not supported"`,
);
});
it('upload a file with mime type on blocklist', async () => {
await serverClient.updateAppSettings({
file_upload_config: {
blocked_mime_types: ['text/markdown'],
},
});
const file = fs.createReadStream('helloworld.md');
await expectHTTPErrorCode(
400,
channel.sendFile(file, 'helloworld.md', 'text/markdown'),
`StreamChat error code 4: UploadFile failed with error: "File type text/markdown is not supported"`,
);
});
it('upload an image with mime type on blocklist', async () => {
await serverClient.updateAppSettings({
image_upload_config: {
blocked_mime_types: ['image/heic'],
},
});
const file = fs.createReadStream('helloworld.heic');
await expectHTTPErrorCode(
400,
channel.sendImage(file, 'helloworld.heic', 'image/heic'),
`StreamChat error code 4: UploadImage failed with error: "File type image/heic is not supported"`,
);
});
});
});