@@ -402,3 +402,31 @@ def test_mime_type_validation_skip():
402402
403403 # Should be forbidden
404404 assert not is_supported_type ("other.js" )
405+
406+
407+ def test_allowed_extensions_override ():
408+ """Extensions in UPLOAD_EXTENSIONS_WHITELIST are accepted even though they are in FORBIDDEN_EXTENSIONS."""
409+ with patch (
410+ "mergin.sync.utils.Configuration.UPLOAD_EXTENSIONS_WHITELIST" , [".py" , ".sh" ]
411+ ):
412+ # forbidden by default, now explicitly allowed
413+ assert is_supported_extension ("model.py" )
414+ assert is_supported_extension ("scripts/deploy.sh" )
415+ # match is case-insensitive
416+ assert is_supported_extension ("MODEL.PY" )
417+ # extensions not in the override stay blocked
418+ assert not is_supported_extension ("malware.exe" )
419+ assert not is_supported_extension ("app.js" )
420+
421+
422+ def test_extension_whitelist_skips_mime_check ():
423+ """A whitelisted extension also bypasses the MIME check via check_skip_validation."""
424+ with patch ("mergin.sync.utils.get_mimetype" , return_value = "text/x-shellscript" ):
425+ # blocked when the extension is not whitelisted
426+ with patch ("mergin.sync.utils.Configuration.UPLOAD_EXTENSIONS_WHITELIST" , []):
427+ assert not is_supported_type ("deploy.sh" )
428+ # allowed once the extension is whitelisted
429+ with patch (
430+ "mergin.sync.utils.Configuration.UPLOAD_EXTENSIONS_WHITELIST" , [".sh" ]
431+ ):
432+ assert is_supported_type ("deploy.sh" )
0 commit comments