Open dremin opened 1 year ago
aruldd-twilio
commented
1 year ago Hello, this fix also allows extensions which are not explicitly declared in the config. We would need to update the documentation surrounding this as well if we were to allow this.
dremin
commented
1 year ago Hello, this fix also allows extensions which are not explicitly declared in the config. We would need to update the documentation surrounding this as well if we were to allow this.
@aruldd-twilio I wonder if allow-listing extensions is the right approach, given that the extension and mime type intend to communicate the same information. Maybe we should switch to allow-listing mime types rather than extensions?
sonarcloud[bot]
commented
1 year ago Kudos, SonarCloud Quality Gate passed! 
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
0.0% Duplication
Presently, the attachment's mime-type is converted to a file extension, which is then compared to the list of allowed extensions. However, for files such as mp3 which have a mime type "audio/mpeg", there are multiple allowed file extensions for that mime type, so the mime-to-extension conversion results in an extension that is not allowed ("mpga"), preventing the file from being accessed, even though the file extension is mp3.
This fixes that problem by getting the full list of extensions for a mime type, rather than simply the default extension, and then checking if an extension from that list is in the allowed extensions.
Contributing to Twilio