refactor: Server crash when uploading file without extension; fixes security vulnerability [GHSA-792q-q67h-w579](GHSA-792q-q67h-w579) (#8779)

Author: mtrezza

spec/ParseFile.spec.js

@@ -1432,6 +1432,34 @@ describe('Parse.File testing', () => {
       }
     });
 
+    it('allows file without extension', async () => {
+      await reconfigureServer({
+        fileUpload: {
+          enableForPublic: true,
+          fileExtensions: ['^[^hH][^tT][^mM][^lL]?$'],
+        },
+      });
+      const headers = {
+        'X-Parse-Application-Id': 'test',
+        'X-Parse-REST-API-Key': 'rest',
+      };
+
+      const values = ['filenamewithoutextension'];
+
+      for (const value of values) {
+        await expectAsync(
+          request({
+            method: 'POST',
+            headers: headers,
+            url: `http://localhost:8378/1/files/${value}`,
+            body: '<html></html>\n',
+          }).catch(e => {
+            throw new Error(e.data.error);
+          })
+        ).toBeResolved();
+      }
+    });
+
     it('works with array', async () => {
       await reconfigureServer({
         fileUpload: {

src/Routers/FilesRouter.js

@@ -159,9 +159,9 @@ export class FilesRouter {
       } else if (contentType && contentType.includes('/')) {
         extension = contentType.split('/')[1];
       }
-      extension = extension.split(' ').join('');
+      extension = extension?.split(' ')?.join('');
 
-      if (!isValidExtension(extension)) {
+      if (extension && !isValidExtension(extension)) {
         next(
           new Parse.Error(
             Parse.Error.FILE_SAVE_ERROR,