feat: implement file extension blacklist for upload security (#27540)

docker/.env.example

@@ -762,6 +762,12 @@ UPLOAD_FILE_SIZE_LIMIT=15
 # The maximum number of files that can be uploaded at a time, default 5.
 UPLOAD_FILE_BATCH_LIMIT=5
 
+# Comma-separated list of file extensions blocked from upload for security reasons.
+# Extensions should be lowercase without dots (e.g., exe,bat,sh,dll).
+# Empty by default to allow all file types.
+# Recommended: exe,bat,cmd,com,scr,vbs,ps1,msi,dll
+UPLOAD_FILE_EXTENSION_BLACKLIST=
+
 # ETL type, support: `dify`, `Unstructured`
 # `dify` Dify's proprietary file extraction scheme
 # `Unstructured` Unstructured.io file extraction scheme

docker/docker-compose.yaml

@@ -353,6 +353,7 @@ x-shared-env: &shared-api-worker-env
   CLICKZETTA_VECTOR_DISTANCE_FUNCTION: ${CLICKZETTA_VECTOR_DISTANCE_FUNCTION:-cosine_distance}
   UPLOAD_FILE_SIZE_LIMIT: ${UPLOAD_FILE_SIZE_LIMIT:-15}
   UPLOAD_FILE_BATCH_LIMIT: ${UPLOAD_FILE_BATCH_LIMIT:-5}
+  UPLOAD_FILE_EXTENSION_BLACKLIST: ${UPLOAD_FILE_EXTENSION_BLACKLIST:-}
   ETL_TYPE: ${ETL_TYPE:-dify}
   UNSTRUCTURED_API_URL: ${UNSTRUCTURED_API_URL:-}
   UNSTRUCTURED_API_KEY: ${UNSTRUCTURED_API_KEY:-}