feat: implement file extension blacklist for upload security (#27540)

docker/.env.example

@@ -762,6 +762,12 @@ UPLOAD_FILE_SIZE_LIMIT=15
 # The maximum number of files that can be uploaded at a time, default 5.
 UPLOAD_FILE_BATCH_LIMIT=5
 
+# Comma-separated list of file extensions blocked from upload for security reasons.
+# Extensions should be lowercase without dots (e.g., exe,bat,sh,dll).
+# Empty by default to allow all file types.
+# Recommended: exe,bat,cmd,com,scr,vbs,ps1,msi,dll
+UPLOAD_FILE_EXTENSION_BLACKLIST=
+
 # ETL type, support: `dify`, `Unstructured`
 # `dify` Dify's proprietary file extraction scheme
 # `Unstructured` Unstructured.io file extraction scheme