You can use middlewares at api level to throw an error on restricted file types.
I implemented this in my global middleware, you can implement it at route level as well.- Middlewares | Strapi Documentation
I have this in my api/middlewares/fileCheck.js
module.exports = (config, { strapi }) => {
// Add your own logic here.
return async (ctx, next) => {
strapi.log.info("In file-check middleware.");
const reqBody = ctx.request.body.fileInfo;
const fileInfo1 = reqBody;
if (ctx.request.url === "/upload") {
console.log(ctx.request.body, "upload");
const parsedFileInfo = ctx.request.body.fileInfo;
const file = JSON.parse(parsedFileInfo);
const restrictedExtensions = [
".exe",
".bat",
".msi",
".com",
".cmd",
".vbs",
".scr",
".js",
".ps1",
".php",
".py",
".pl",
".rb",
".sh",
".jsp",
".zip",
".rar",
".tar",
".gz",
".7z",
".bz2",
".xz",
".ini",
".config",
".xml",
".yml",
".json",
".sql",
".db",
".mdb",
".accdb",
".msh",
".app",
".elf",
".html",
".htm",
".css",
".js",
".php",
".docm",
".xlsm",
".pptm",
".dotm",
".potm",
".xltm",
".xltx",
".xlam",
".key",
".pem",
".pfx",
".asc",
".locky",
".zepto",
".cerber",
".astra",
".kraken",
".diablo",
];
// const doubleExtensionRegex = /(\.\w+){2,}$/;
const fileName = `.${file.name.split(".").pop()}`;
if (restrictedExtensions.includes(fileName)) {
throw new Error("Invalid file type");
}
// Check for double extensions
const fileParts = file.name.split('.');
for (let i = 1; i < fileParts.length - 1; i++) {
if (
!restrictedExtensions.some((restrictedExt) =>
fileParts[i].endsWith(restrictedExt)
)
) {
throw new Error(
"Invalid file format. Files with restricted extensions are not allowed."
);
}
}
}
await next();
};
};