Merge pull request #8537 from ProcessMaker/task/FOUR-26751

FOUR-26751: Make the dangerous_extensions verification configurable

Author: nolanpro

ProcessMaker/Http/Controllers/Api/ProcessRequestFileController.php

@@ -450,15 +450,17 @@ public function destroy(Request $laravel_request, ProcessRequest $request, $file
     private function validateFile(UploadedFile $file, &$errors)
     {
         // Explicitly reject archive files for security
-        $this->rejectArchiveFiles($file, $errors);
+        if (config('files.enable_dangerous_validation')) {
+            $this->rejectArchiveFiles($file, $errors);
+        }
 
         // Validate file extension if enabled
-        if (config('files.enable_extension_validation', true)) {
+        if (config('files.enable_extension_validation')) {
             $this->validateFileExtension($file, $errors);
         }
 
         // Validate MIME type vs extension if enabled
-        if (config('files.enable_mime_validation', true)) {
+        if (config('files.enable_mime_validation')) {
             $this->validateExtensionMimeTypeMatch($file, $errors);
         }
 

config/files.php

@@ -72,6 +72,16 @@
         'mp4'  => ['video/mp4'],
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Enable DANGEROUS Validation
+    |--------------------------------------------------------------------------
+    |
+    | Whether to enable dangerous file validation that checks against
+    |
+    */
+    'enable_dangerous_validation' => env('ENABLE_DANGEROUS_VALIDATION', true),
+
     /*
     |--------------------------------------------------------------------------
     | Enable MIME Type Validation