[Awaiting C+ Payment confirmation] [HOLD for payment 2023-08-21] [$1000] Inconsistent file error result on uploading unsupported file type

[kavimuru]

If you haven’t already, check out our contributing guidelines for onboarding and email contributors@expensify.com to request to join our Slack channel!

---

Action Performed:

1. Open staging.new.expensify.com
2. Send a .exe file to a chat
3. Send a .tar.gz file to a chat

Expected Result:

Both should have consistent unsupported file type error

Actual Result:

While trying to attach .exe file returned error dialog immediately, trying to attach .tar.gz file doesn't returned the same dialog error and returned the error on sending the message instead

Workaround:

Can the user still use Expensify without this being fixed? Have you informed them of the workaround?

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android / native
• Android / Chrome
• iOS / native
• iOS / Safari
• MacOS / Chrome / Safari
• MacOS / Desktop

Version Number: 1.3.19-2
Reproducible in staging?: y
Reproducible in production?: y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Notes/Photos/Videos: Any additional supporting documentation

Inconsistent.File.Filter.mp4

Recording.785.mp4

Expensify/Expensify Issue URL:
Issue reported by: @kerupuksambel
Slack conversation:
https://expensify.slack.com/archives/C049HHMV9SM/p1684986305893649
View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~018f83b776223928ef
• Upwork Job ID: 1663615039149555712
• Last Price Increase: 2023-06-06

[melvin-bot]

Triggered auto assignment to @trjExpensify (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[PrashantMangukiya]

Proposal

Posting proposal early as per new guidelines

Please re-state the problem that we are trying to solve in this issue.

Inconsistent file error result on uploading unsupported file type

What is the root cause of that problem?

Not allowed file type checking done via variable from const file here

App/src/CONST.js

Lines 41 to 95 in 12d2f3c

	UNALLOWED_EXTENSIONS: [
	'ade',
	'adp',
	'apk',
	'appx',
	'appxbundle',
	'bat',
	'cab',
	'chm',
	'cmd',
	'com',
	'cpl',
	'diagcab',
	'diagcfg',
	'diagpack',
	'dll',
	'dmg',
	'ex',
	'ex_',
	'exe',
	'hta',
	'img',
	'ins',
	'iso',
	'isp',
	'jar',
	'jnlp',
	'js',
	'jse',
	'lib',
	'lnk',
	'mde',
	'msc',
	'msi',
	'msix',
	'msixbundle',
	'msp',
	'mst',
	'nsh',
	'pif',
	'ps1',
	'scr',
	'sct',
	'shb',
	'sys',
	'vb',
	'vbe',
	'vbs',
	'vhd',
	'vxd',
	'wsc',
	'wsf',
	'wsh',
	'xll',
	],

We can see gz extension not added in this. So it will not show error while file selected with gz extension. This is the root cause of the problem.

What changes do you think we should make in order to solve the problem?

We have to add gz extension within UNALLOWED_EXTENSIONS array as shown under. It will solve the issue.

UNALLOWED_EXTENSIONS: [ 
   ...
  'exe',
  'gz',    // *** Add this
  'hta',
   ...
]

What alternative solutions did you explore? (Optional)

None

Result

19718-Unallowed.mov

[trjExpensify]

Yeah, seems clear to me. Though, @Beamanator are we just going to keep running into this maintaining a list of "unallowed filetypes" versus a list of allowed ones and then throwing the front-end error if it's not one of them? 😕

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~018f83b776223928ef

[melvin-bot]

Current assignee @trjExpensify is eligible for the External assigner, not assigning anyone new.

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @sobitneupane (External)

[melvin-bot]

Triggered auto assignment to @amyevans (External), see https://stackoverflow.com/c/expensify/questions/7972 for more details.

[Beamanator]

@trjExpensify gooood question, I think there's another issue somewhere else where someone has been working on allowing all file types? Or many more or something like that? I've really only mainly worked on image file type stuff for avatars sorry :D

[amyevans]

I believe it's @youssef-lr

[youssef-lr]

I'm not really sure if we should fix this, or, as a few engineers have suggested, remove this limitation and allow all filetypes to be uploaded. We initially implemented this as a measure of security to protect users from downloading potentially harmful files in public rooms. I think I'll bring this up and Slack to see if we really need to be blocking certain filetypes or not.

[youssef-lr]

Discussion here: https://expensify.slack.com/archives/C03TQ48KC/p1685473892542269

[amyevans]

Thanks!

[trjExpensify]

Where did we land here?

[amyevans]

I bumped the thread to confirm if this is the path we'd like to pursue:

remove the list of unallowed extensions from both App and Web-E

[trjExpensify]

Cool, seems like we have agreement yeah?

[amyevans]

Yes, let's field an external proposal to remove the UNALLOWED_EXTENSIONS list and any related logic from the FE.

cc @PrashantMangukiya in case you'd like to update your proposal

[PrashantMangukiya]

@amyevans Sure, let me update proposal to remove UNALLOWED_EXTENSIONS list and any related logic from the FE.

[youssef-lr]

Woops, on it.

[trjExpensify]

PR hit staging 4 days ago, Melv.

[melvin-bot]

Reviewing label has been removed, please complete the "BugZero Checklist".

[melvin-bot]

The solution for this issue has been 🚀 deployed to production 🚀 in version 1.3.53-2 and is now subject to a 7-day regression period 📆. Here is the list of pull requests that resolve this issue:

• Remove filetype restriction for file uploads #21285

If no regressions arise, payment will be issued on 2023-08-21. 🎊

After the hold period is over and BZ checklist items are completed, please complete any of the applicable payments for this issue, and check them off once done.

• External issue reporter
• Contributor that fixed the issue
• Contributor+ that helped on the issue and/or PR

For reference, here are some details about the assignees on this issue:

• @sobitneupane does not require payment (Eligable for Manual Requests)

As a reminder, here are the bonuses/penalties that should be applied for any External issue:

• Merged PR within 3 business days of assignment - 50% bonus
• Merged PR more than 9 business days after assignment - 50% penalty

[melvin-bot]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

• [@sobitneupane] The PR that introduced the bug has been identified. Link to the PR:
• [@sobitneupane] The offending PR has been commented on, pointing out the bug it caused and why, so the author and reviewers can learn from the mistake. Link to comment:
• [@sobitneupane] A discussion in #expensify-bugs has been started about whether any other steps should be taken (e.g. updating the PR review checklist) in order to catch this type of bug sooner. Link to discussion:
• [@sobitneupane] Determine if we should create a regression test for this bug.
• [@sobitneupane] If we decide to create a regression test for the bug, please propose the regression test steps to ensure the same bug will not reach production again.
• [@trjExpensify] Link the GH issue for creating/updating the regression test once above steps have been agreed upon:

[sobitneupane]

BugZero Checklist: The PR fixing this issue has been merged! The following checklist (instructions) will need to be completed before the issue can be closed:

The cause of the initially reported issue is missing of certain file type in UNALLOWED_EXTENSIONS. We got rid of all those UNALLOWED_EXTENSIONS and now all file types are allowed.

[sobitneupane]

Regression Test Proposal

1. Upload files with extension .exe and .tar.gz
2. Verify that those files are uploaded successfully without any error.

Do we agree 👍 or 👎

[sobitneupane]

Requested payment on newDot.

[trjExpensify]

Okay, so confirming payments as follows:

• $1,000 to @sobitneupane for C+ review of the internal PR
• $250 to @kerupuksambel for the bug report.

As for the regression test proposal, we already have multiple (and more common) different file types being tested, so I don't think we need to add one for .tar and .exe specifically.

[trjExpensify]

@kerupuksambel - sent you an offer!

[kerupuksambel]

@kerupuksambel - sent you an offer!

Accepted the offer, thank you!

[trjExpensify]

Paid! Updating the title to await confirmation of @sobitneupane's.

[melvin-bot]

@amyevans, @youssef-lr, @trjExpensify, @sobitneupane Whoops! This issue is 2 days overdue. Let's get this updated quick!

[melvin-bot]

@amyevans, @youssef-lr, @trjExpensify, @sobitneupane 6 days overdue. This is scarier than being forced to listen to Vogon poetry!

[amyevans]

@trjExpensify Do we need to keep it open for confirmation of C+ payment? I think on other issues I've seen them closed prior.

[JmillsExpensify]

Reviewed the details for @sobitneupane. $1,000 approved for payment in NewDot based on BZ summary.