🎨 Expanded file upload allowlist with non-executable formats

[betschki]

ref #26869

• the allowlist introduced in Added file type validation and content-type control for file uploads #26869 protects against executable content on the shared CDN domain, but rejects many legitimate non-executable formats that worked before (camera RAW files, common archive formats, modern image/video containers, 3D/CAD formats, etc.)
• the additions are safe because the storage adapter's getStorageContentType() already falls back to application/octet-stream for any extension whose MIME type is not on the browser-renderable allowlist, forcing a download rather than rendering or executing the file
• new extensions cover photography (.np3, .nef, .cr2, .cr3, .arw, .raf, .orf, .rw2, .dng, .tif, .tiff, .bmp, .heic, .heif, .avif), audio (.flac, .aac, .aif, .aiff, .opus, .mid, .midi), video (.webm, .mkv, .avi, .m4v), archives (.7z, .rar, .gz, .tgz, .tar, .bz2), 3D/design (.stl, .obj, .glb, .gltf, .fbx, .blend, .ai, .eps, .xcf), fonts (.ttf, .eot), data/docs (.toml, .tsv, .geojson, .vcf, .numbers, .odp, .ppt, .fb2)
• sorted the array alphabetically for easier future maintenance
• updated the importer glob test to match the expanded list

Got some code for us? Awesome 🎊!

Please take a minute to explain the change you're making:

• Why are you making it?
• What does it do?
• Why is this something Ghost users or developers need?

Please check your PR against these items:

• I've read and followed the Contributor Guide
• I've explained my change
• I've written an automated test to prove my change works

We appreciate your contribution! 🙏

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 0a548517-d6be-4142-8db0-e24e3c6969c0

📥 Commits

Reviewing files that changed from the base of the PR and between 45490b5 and 47fae1d.

📒 Files selected for processing (2)

• ghost/core/core/shared/config/overrides.json
• ghost/core/test/unit/server/data/importer/index.test.js

---

Walkthrough

The pull request expands the supported file upload extensions in the Ghost configuration. The uploads.files.extensions array in the configuration file was updated to include a significantly larger set of file types, such as archives, documents, fonts, and data/config formats, increasing the count from 55 to 105 supported extensions. The corresponding unit test for ImportManager was updated to reflect this expanded set of supported extensions and validate the new glob pattern that represents all the newly added file types.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: expanding the file upload allowlist to include non-executable file formats.
Description check	✅ Passed	The description is directly related to the changeset, providing clear context about why the allowlist was expanded and detailing the new file extensions added.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}