FOUR-26751: Make the dangerous_extensions verification configurable

[pmPaulis]

Issue & Reproduction Steps

Make the dangerous_extensions verification configurable

Solution

Per default all is true.
In order to disable the validation add those in the .env

ENABLE_DANGEROUS_VALIDATION=false
ENABLE_MIME_VALIDATION=false
ENABLE_EXTENSION_VALIDATION=false

How to Test

'dangerous_extensions' => [
        'zip', 'rar', '7z', 'tar', 'gz', 'bz2', 'xz', 'lzma',
        'cab', 'ar', 'iso', 'dmg', 'pkg', 'deb', 'rpm',
    ],

Related Tickets & Packages

• https://processmaker.atlassian.net/browse/FOUR-26751

Code Review Checklist

• I have pulled this code locally and tested it on my instance, along with any associated packages.
• This code adheres to ProcessMaker Coding Guidelines.
• This code includes a unit test or an E2E test that tests its functionality, or is covered by an existing test.
• This solution fixes the bug reported in the original ticket.
• This solution does not alter the expected output of a component in a way that would break existing Processes.
• This solution does not implement any breaking changes that would invalidate documentation or cause existing Processes to fail.
• This solution has been tested with enterprise packages that rely on its functionality and does not introduce bugs in those packages.
• This code does not duplicate functionality that already exists in the framework or in ProcessMaker.
• This ticket conforms to the PRD associated with this part of ProcessMaker.

ci:deploy
ci:ENABLE_DANGEROUS_VALIDATION=false
ci:ENABLE_MIME_VALIDATION=false
ci:ENABLE_EXTENSION_VALIDATION=false

[processmaker-sonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

[vladyrichter]

QA server K8S was successfully deployed https://ci-96fe8ade36.engk8s.processmaker.net

[vladyrichter]

QA server K8S was successfully deployed https://ci-96fe8ade36.engk8s.processmaker.net

[ana-mauricio]

The following errors were detected: When the variables are in false
ENABLE_DANGEROUS_VALIDATION=false ENABLE_EXTENSION_VALIDATION=false ENABLE_MIME_VALIDATION=false

• It is not possible to upload dangerous files from public files

But it is possible to upload dangerous files from Upload file control

[pmPaulis]

@ana-mauricio
About the SVG behavior please review this ticket https://processmaker.atlassian.net/browse/FOUR-16706 it was defined here.
Regards,

[pmPaulis]

@ana-mauricio

The control UPLOAD A FILE in public files has some restriccions about the extensions. This is not related with changes.
I validated in other version 4.15.3
Regards,

[ana-mauricio]

The following ticket doc was created DOC-3723: Add documentation to Public Files to allowed_extensions and dangerous_extensions
With this clarification, this configuration of dangerous and allowed extensions does not apply to public files.

So the ticket is approved.