mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-01 05:36:00 +00:00
Merge branch '3027_attachment_vuln'
This commit is contained in:
Dan Brown
commit
ce3f489188
@ -66,13 +66,13 @@ class CommentRepo
|
||||
/**
|
||||
* Delete a comment from the system.
|
||||
*/
|
||||
public function delete(Comment $comment)
|
||||
public function delete(Comment $comment): void
|
||||
{
|
||||
$comment->delete();
|
||||
}
|
||||
|
||||
/**
|
||||
* Convert the given comment markdown text to HTML.
|
||||
* Convert the given comment Markdown to HTML.
|
||||
*/
|
||||
public function commentToHtml(string $commentText): string
|
||||
{
|
||||
|
||||
@ -27,7 +27,7 @@ use Illuminate\Support\Collection;
|
||||
/**
|
||||
* Class User.
|
||||
*
|
||||
* @property string $id
|
||||
* @property int $id
|
||||
* @property string $name
|
||||
* @property string $slug
|
||||
* @property string $email
|
||||
|
||||
@ -9,6 +9,7 @@ use BookStack\Exceptions\ImageUploadException;
|
||||
use BookStack\Facades\Theme;
|
||||
use BookStack\Theming\ThemeEvents;
|
||||
use BookStack\Uploads\ImageRepo;
|
||||
use BookStack\Uploads\ImageService;
|
||||
use BookStack\Util\HtmlContentFilter;
|
||||
use DOMDocument;
|
||||
use DOMNodeList;
|
||||
@ -130,7 +131,7 @@ class PageContent
|
||||
$imageInfo = $this->parseBase64ImageUri($uri);
|
||||
|
||||
// Validate extension and content
|
||||
if (empty($imageInfo['data']) || !$imageRepo->imageExtensionSupported($imageInfo['extension'])) {
|
||||
if (empty($imageInfo['data']) || !ImageService::isExtensionSupported($imageInfo['extension'])) {
|
||||
return '';
|
||||
}
|
||||
|
||||
|
||||
@ -68,6 +68,7 @@ class AttachmentController extends Controller
|
||||
'file' => 'required|file',
|
||||
]);
|
||||
|
||||
/** @var Attachment $attachment */
|
||||
$attachment = Attachment::query()->findOrFail($attachmentId);
|
||||
$this->checkOwnablePermission('view', $attachment->page);
|
||||
$this->checkOwnablePermission('page-update', $attachment->page);
|
||||
@ -86,11 +87,10 @@ class AttachmentController extends Controller
|
||||
|
||||
/**
|
||||
* Get the update form for an attachment.
|
||||
*
|
||||
* @return \Illuminate\Contracts\Foundation\Application|\Illuminate\Contracts\View\Factory|\Illuminate\View\View
|
||||
*/
|
||||
public function getUpdateForm(string $attachmentId)
|
||||
{
|
||||
/** @var Attachment $attachment */
|
||||
$attachment = Attachment::query()->findOrFail($attachmentId);
|
||||
|
||||
$this->checkOwnablePermission('page-update', $attachment->page);
|
||||
@ -173,6 +173,7 @@ class AttachmentController extends Controller
|
||||
|
||||
/**
|
||||
* Get the attachments for a specific page.
|
||||
* @throws NotFoundException
|
||||
*/
|
||||
public function listForPage(int $pageId)
|
||||
{
|
||||
|
||||
@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers;
|
||||
use BookStack\Facades\Activity;
|
||||
use BookStack\Interfaces\Loggable;
|
||||
use BookStack\Model;
|
||||
use BookStack\Util\WebSafeMimeSniffer;
|
||||
use finfo;
|
||||
use Illuminate\Foundation\Bus\DispatchesJobs;
|
||||
use Illuminate\Foundation\Validation\ValidatesRequests;
|
||||
@ -117,8 +118,9 @@ abstract class Controller extends BaseController
|
||||
protected function downloadResponse(string $content, string $fileName): Response
|
||||
{
|
||||
return response()->make($content, 200, [
|
||||
'Content-Type' => 'application/octet-stream',
|
||||
'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
|
||||
'Content-Type' => 'application/octet-stream',
|
||||
'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
|
||||
'X-Content-Type-Options' => 'nosniff',
|
||||
]);
|
||||
}
|
||||
|
||||
@ -128,12 +130,13 @@ abstract class Controller extends BaseController
|
||||
*/
|
||||
protected function inlineDownloadResponse(string $content, string $fileName): Response
|
||||
{
|
||||
$finfo = new finfo(FILEINFO_MIME_TYPE);
|
||||
$mime = $finfo->buffer($content) ?: 'application/octet-stream';
|
||||
|
||||
$mime = (new WebSafeMimeSniffer)->sniff($content);
|
||||
|
||||
return response()->make($content, 200, [
|
||||
'Content-Type' => $mime,
|
||||
'Content-Disposition' => 'inline; filename="' . $fileName . '"',
|
||||
'Content-Type' => $mime,
|
||||
'Content-Disposition' => 'inline; filename="' . $fileName . '"',
|
||||
'X-Content-Type-Options' => 'nosniff',
|
||||
]);
|
||||
}
|
||||
|
||||
|
||||
@ -67,13 +67,12 @@ class DrawioImageController extends Controller
|
||||
public function getAsBase64($id)
|
||||
{
|
||||
$image = $this->imageRepo->getById($id);
|
||||
$page = $image->getPage();
|
||||
if ($image === null || $image->type !== 'drawio' || !userCan('page-view', $page)) {
|
||||
if (is_null($image) || $image->type !== 'drawio' || !userCan('page-view', $image->getPage())) {
|
||||
return $this->jsonError('Image data could not be found');
|
||||
}
|
||||
|
||||
$imageData = $this->imageRepo->getImageData($image);
|
||||
if ($imageData === null) {
|
||||
if (is_null($imageData)) {
|
||||
return $this->jsonError('Image data could not be found');
|
||||
}
|
||||
|
||||
|
||||
@ -7,25 +7,23 @@ use BookStack\Exceptions\NotFoundException;
|
||||
use BookStack\Http\Controllers\Controller;
|
||||
use BookStack\Uploads\Image;
|
||||
use BookStack\Uploads\ImageRepo;
|
||||
use BookStack\Uploads\ImageService;
|
||||
use Exception;
|
||||
use Illuminate\Filesystem\Filesystem as File;
|
||||
use Illuminate\Http\Request;
|
||||
use Illuminate\Validation\ValidationException;
|
||||
|
||||
class ImageController extends Controller
|
||||
{
|
||||
protected $image;
|
||||
protected $file;
|
||||
protected $imageRepo;
|
||||
protected $imageService;
|
||||
|
||||
/**
|
||||
* ImageController constructor.
|
||||
*/
|
||||
public function __construct(Image $image, File $file, ImageRepo $imageRepo)
|
||||
public function __construct(ImageRepo $imageRepo, ImageService $imageService)
|
||||
{
|
||||
$this->image = $image;
|
||||
$this->file = $file;
|
||||
$this->imageRepo = $imageRepo;
|
||||
$this->imageService = $imageService;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -35,14 +33,13 @@ class ImageController extends Controller
|
||||
*/
|
||||
public function showImage(string $path)
|
||||
{
|
||||
$path = storage_path('uploads/images/' . $path);
|
||||
if (!file_exists($path)) {
|
||||
if (!$this->imageService->pathExistsInLocalSecure($path)) {
|
||||
throw (new NotFoundException(trans('errors.image_not_found')))
|
||||
->setSubtitle(trans('errors.image_not_found_subtitle'))
|
||||
->setDetails(trans('errors.image_not_found_details'));
|
||||
}
|
||||
|
||||
return response()->file($path);
|
||||
return $this->imageService->streamImageFromStorageResponse('gallery', $path);
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
@ -2,6 +2,7 @@
|
||||
|
||||
namespace BookStack\Providers;
|
||||
|
||||
use BookStack\Uploads\ImageService;
|
||||
use Illuminate\Support\Facades\Validator;
|
||||
use Illuminate\Support\ServiceProvider;
|
||||
|
||||
@ -13,9 +14,8 @@ class CustomValidationServiceProvider extends ServiceProvider
|
||||
public function boot(): void
|
||||
{
|
||||
Validator::extend('image_extension', function ($attribute, $value, $parameters, $validator) {
|
||||
$validImageExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp'];
|
||||
|
||||
return in_array(strtolower($value->getClientOriginalExtension()), $validImageExtensions);
|
||||
$extension = strtolower($value->getClientOriginalExtension());
|
||||
return ImageService::isExtensionSupported($extension);
|
||||
});
|
||||
|
||||
Validator::extend('safe_url', function ($attribute, $value, $parameters, $validator) {
|
||||
|
||||
@ -27,7 +27,7 @@ class AttachmentService
|
||||
/**
|
||||
* Get the storage that will be used for storing files.
|
||||
*/
|
||||
protected function getStorage(): FileSystemInstance
|
||||
protected function getStorageDisk(): FileSystemInstance
|
||||
{
|
||||
return $this->fileSystem->disk($this->getStorageDiskName());
|
||||
}
|
||||
@ -70,7 +70,7 @@ class AttachmentService
|
||||
*/
|
||||
public function getAttachmentFromStorage(Attachment $attachment): string
|
||||
{
|
||||
return $this->getStorage()->get($this->adjustPathForStorageDisk($attachment->path));
|
||||
return $this->getStorageDisk()->get($this->adjustPathForStorageDisk($attachment->path));
|
||||
}
|
||||
|
||||
/**
|
||||
@ -195,7 +195,7 @@ class AttachmentService
|
||||
*/
|
||||
protected function deleteFileInStorage(Attachment $attachment)
|
||||
{
|
||||
$storage = $this->getStorage();
|
||||
$storage = $this->getStorageDisk();
|
||||
$dirPath = $this->adjustPathForStorageDisk(dirname($attachment->path));
|
||||
|
||||
$storage->delete($this->adjustPathForStorageDisk($attachment->path));
|
||||
@ -213,10 +213,10 @@ class AttachmentService
|
||||
{
|
||||
$attachmentData = file_get_contents($uploadedFile->getRealPath());
|
||||
|
||||
$storage = $this->getStorage();
|
||||
$storage = $this->getStorageDisk();
|
||||
$basePath = 'uploads/files/' . date('Y-m-M') . '/';
|
||||
|
||||
$uploadFileName = Str::random(16) . '.' . $uploadedFile->getClientOriginalExtension();
|
||||
$uploadFileName = Str::random(16) . '-' . $uploadedFile->getClientOriginalExtension();
|
||||
while ($storage->exists($this->adjustPathForStorageDisk($basePath . $uploadFileName))) {
|
||||
$uploadFileName = Str::random(3) . $uploadFileName;
|
||||
}
|
||||
|
||||
@ -11,36 +11,15 @@ use Symfony\Component\HttpFoundation\File\UploadedFile;
|
||||
|
||||
class ImageRepo
|
||||
{
|
||||
protected $image;
|
||||
protected $imageService;
|
||||
protected $restrictionService;
|
||||
protected $page;
|
||||
|
||||
protected static $supportedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
|
||||
|
||||
/**
|
||||
* ImageRepo constructor.
|
||||
*/
|
||||
public function __construct(
|
||||
Image $image,
|
||||
ImageService $imageService,
|
||||
PermissionService $permissionService,
|
||||
Page $page
|
||||
) {
|
||||
$this->image = $image;
|
||||
public function __construct(ImageService $imageService, PermissionService $permissionService) {
|
||||
$this->imageService = $imageService;
|
||||
$this->restrictionService = $permissionService;
|
||||
$this->page = $page;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the given image extension is supported by BookStack.
|
||||
* The extension must not be altered in this function. This check should provide a guarantee
|
||||
* that the provided extension is safe to use for the image to be saved.
|
||||
*/
|
||||
public function imageExtensionSupported(string $extension): bool
|
||||
{
|
||||
return in_array($extension, static::$supportedExtensions);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -48,7 +27,7 @@ class ImageRepo
|
||||
*/
|
||||
public function getById($id): Image
|
||||
{
|
||||
return $this->image->findOrFail($id);
|
||||
return Image::query()->findOrFail($id);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -61,7 +40,7 @@ class ImageRepo
|
||||
$hasMore = count($images) > $pageSize;
|
||||
|
||||
$returnImages = $images->take($pageSize);
|
||||
$returnImages->each(function ($image) {
|
||||
$returnImages->each(function (Image $image) {
|
||||
$this->loadThumbs($image);
|
||||
});
|
||||
|
||||
@ -83,7 +62,7 @@ class ImageRepo
|
||||
string $search = null,
|
||||
callable $whereClause = null
|
||||
): array {
|
||||
$imageQuery = $this->image->newQuery()->where('type', '=', strtolower($type));
|
||||
$imageQuery = Image::query()->where('type', '=', strtolower($type));
|
||||
|
||||
if ($uploadedTo !== null) {
|
||||
$imageQuery = $imageQuery->where('uploaded_to', '=', $uploadedTo);
|
||||
@ -114,7 +93,8 @@ class ImageRepo
|
||||
int $uploadedTo = null,
|
||||
string $search = null
|
||||
): array {
|
||||
$contextPage = $this->page->findOrFail($uploadedTo);
|
||||
/** @var Page $contextPage */
|
||||
$contextPage = Page::visible()->findOrFail($uploadedTo);
|
||||
$parentFilter = null;
|
||||
|
||||
if ($filterType === 'book' || $filterType === 'page') {
|
||||
@ -149,7 +129,7 @@ class ImageRepo
|
||||
*
|
||||
* @throws ImageUploadException
|
||||
*/
|
||||
public function saveNewFromData(string $imageName, string $imageData, string $type, int $uploadedTo = 0)
|
||||
public function saveNewFromData(string $imageName, string $imageData, string $type, int $uploadedTo = 0): Image
|
||||
{
|
||||
$image = $this->imageService->saveNew($imageName, $imageData, $type, $uploadedTo);
|
||||
$this->loadThumbs($image);
|
||||
@ -158,13 +138,13 @@ class ImageRepo
|
||||
}
|
||||
|
||||
/**
|
||||
* Save a drawing the the database.
|
||||
* Save a drawing in the database.
|
||||
*
|
||||
* @throws ImageUploadException
|
||||
*/
|
||||
public function saveDrawing(string $base64Uri, int $uploadedTo): Image
|
||||
{
|
||||
$name = 'Drawing-' . strval(user()->id) . '-' . strval(time()) . '.png';
|
||||
$name = 'Drawing-' . user()->id . '-' . time() . '.png';
|
||||
|
||||
return $this->imageService->saveNewFromBase64Uri($base64Uri, $name, 'drawio', $uploadedTo);
|
||||
}
|
||||
@ -172,7 +152,6 @@ class ImageRepo
|
||||
/**
|
||||
* Update the details of an image via an array of properties.
|
||||
*
|
||||
* @throws ImageUploadException
|
||||
* @throws Exception
|
||||
*/
|
||||
public function updateImageDetails(Image $image, $updateDetails): Image
|
||||
@ -189,13 +168,11 @@ class ImageRepo
|
||||
*
|
||||
* @throws Exception
|
||||
*/
|
||||
public function destroyImage(Image $image = null): bool
|
||||
public function destroyImage(Image $image = null): void
|
||||
{
|
||||
if ($image) {
|
||||
$this->imageService->destroy($image);
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -203,9 +180,9 @@ class ImageRepo
|
||||
*
|
||||
* @throws Exception
|
||||
*/
|
||||
public function destroyByType(string $imageType)
|
||||
public function destroyByType(string $imageType): void
|
||||
{
|
||||
$images = $this->image->where('type', '=', $imageType)->get();
|
||||
$images = Image::query()->where('type', '=', $imageType)->get();
|
||||
foreach ($images as $image) {
|
||||
$this->destroyImage($image);
|
||||
}
|
||||
@ -213,25 +190,21 @@ class ImageRepo
|
||||
|
||||
/**
|
||||
* Load thumbnails onto an image object.
|
||||
*
|
||||
* @throws Exception
|
||||
*/
|
||||
public function loadThumbs(Image $image)
|
||||
public function loadThumbs(Image $image): void
|
||||
{
|
||||
$image->thumbs = [
|
||||
$image->setAttribute('thumbs', [
|
||||
'gallery' => $this->getThumbnail($image, 150, 150, false),
|
||||
'display' => $this->getThumbnail($image, 1680, null, true),
|
||||
];
|
||||
]);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the thumbnail for an image.
|
||||
* If $keepRatio is true only the width will be used.
|
||||
* Checks the cache then storage to avoid creating / accessing the filesystem on every check.
|
||||
*
|
||||
* @throws Exception
|
||||
*/
|
||||
protected function getThumbnail(Image $image, ?int $width = 220, ?int $height = 220, bool $keepRatio = false): ?string
|
||||
protected function getThumbnail(Image $image, ?int $width, ?int $height, bool $keepRatio): ?string
|
||||
{
|
||||
try {
|
||||
return $this->imageService->getThumbnail($image, $width, $height, $keepRatio);
|
||||
|
||||
@ -11,11 +11,14 @@ use Illuminate\Contracts\Filesystem\FileNotFoundException;
|
||||
use Illuminate\Contracts\Filesystem\Filesystem as FileSystemInstance;
|
||||
use Illuminate\Contracts\Filesystem\Filesystem as Storage;
|
||||
use Illuminate\Support\Facades\DB;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Illuminate\Support\Str;
|
||||
use Intervention\Image\Exception\NotSupportedException;
|
||||
use Intervention\Image\ImageManager;
|
||||
use League\Flysystem\Util;
|
||||
use Psr\SimpleCache\InvalidArgumentException;
|
||||
use Symfony\Component\HttpFoundation\File\UploadedFile;
|
||||
use Symfony\Component\HttpFoundation\StreamedResponse;
|
||||
|
||||
class ImageService
|
||||
{
|
||||
@ -25,6 +28,8 @@ class ImageService
|
||||
protected $image;
|
||||
protected $fileSystem;
|
||||
|
||||
protected static $supportedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp'];
|
||||
|
||||
/**
|
||||
* ImageService constructor.
|
||||
*/
|
||||
@ -39,11 +44,20 @@ class ImageService
|
||||
/**
|
||||
* Get the storage that will be used for storing images.
|
||||
*/
|
||||
protected function getStorage(string $imageType = ''): FileSystemInstance
|
||||
protected function getStorageDisk(string $imageType = ''): FileSystemInstance
|
||||
{
|
||||
return $this->fileSystem->disk($this->getStorageDiskName($imageType));
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if local secure image storage (Fetched behind authentication)
|
||||
* is currently active in the instance.
|
||||
*/
|
||||
protected function usingSecureImages(): bool
|
||||
{
|
||||
return $this->getStorageDiskName('gallery') === 'local_secure_images';
|
||||
}
|
||||
|
||||
/**
|
||||
* Change the originally provided path to fit any disk-specific requirements.
|
||||
* This also ensures the path is kept to the expected root folders.
|
||||
@ -126,7 +140,7 @@ class ImageService
|
||||
*/
|
||||
public function saveNew(string $imageName, string $imageData, string $type, int $uploadedTo = 0): Image
|
||||
{
|
||||
$storage = $this->getStorage($type);
|
||||
$storage = $this->getStorageDisk($type);
|
||||
$secureUploads = setting('app-secure-images');
|
||||
$fileName = $this->cleanImageFileName($imageName);
|
||||
|
||||
@ -144,7 +158,7 @@ class ImageService
|
||||
try {
|
||||
$this->saveImageDataInPublicSpace($storage, $this->adjustPathForStorageDisk($fullPath, $type), $imageData);
|
||||
} catch (Exception $e) {
|
||||
\Log::error('Error when attempting image upload:' . $e->getMessage());
|
||||
Log::error('Error when attempting image upload:' . $e->getMessage());
|
||||
|
||||
throw new ImageUploadException(trans('errors.path_not_writable', ['filePath' => $fullPath]));
|
||||
}
|
||||
@ -218,18 +232,10 @@ class ImageService
|
||||
* Get the thumbnail for an image.
|
||||
* If $keepRatio is true only the width will be used.
|
||||
* Checks the cache then storage to avoid creating / accessing the filesystem on every check.
|
||||
*
|
||||
* @param Image $image
|
||||
* @param int $width
|
||||
* @param int $height
|
||||
* @param bool $keepRatio
|
||||
*
|
||||
* @throws Exception
|
||||
* @throws ImageUploadException
|
||||
*
|
||||
* @return string
|
||||
* @throws InvalidArgumentException
|
||||
*/
|
||||
public function getThumbnail(Image $image, $width = 220, $height = 220, $keepRatio = false)
|
||||
public function getThumbnail(Image $image, ?int $width, ?int $height, bool $keepRatio = false): string
|
||||
{
|
||||
if ($keepRatio && $this->isGif($image)) {
|
||||
return $this->getPublicUrl($image->path);
|
||||
@ -243,7 +249,7 @@ class ImageService
|
||||
return $this->getPublicUrl($thumbFilePath);
|
||||
}
|
||||
|
||||
$storage = $this->getStorage($image->type);
|
||||
$storage = $this->getStorageDisk($image->type);
|
||||
if ($storage->exists($this->adjustPathForStorageDisk($thumbFilePath, $image->type))) {
|
||||
return $this->getPublicUrl($thumbFilePath);
|
||||
}
|
||||
@ -257,27 +263,16 @@ class ImageService
|
||||
}
|
||||
|
||||
/**
|
||||
* Resize image data.
|
||||
*
|
||||
* @param string $imageData
|
||||
* @param int $width
|
||||
* @param int $height
|
||||
* @param bool $keepRatio
|
||||
* Resize the image of given data to the specified size, and return the new image data.
|
||||
*
|
||||
* @throws ImageUploadException
|
||||
*
|
||||
* @return string
|
||||
*/
|
||||
protected function resizeImage(string $imageData, $width = 220, $height = null, bool $keepRatio = true)
|
||||
protected function resizeImage(string $imageData, ?int $width, ?int $height, bool $keepRatio): string
|
||||
{
|
||||
try {
|
||||
$thumb = $this->imageTool->make($imageData);
|
||||
} catch (Exception $e) {
|
||||
if ($e instanceof ErrorException || $e instanceof NotSupportedException) {
|
||||
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
|
||||
}
|
||||
|
||||
throw $e;
|
||||
} catch (ErrorException | NotSupportedException $e) {
|
||||
throw new ImageUploadException(trans('errors.cannot_create_thumbs'));
|
||||
}
|
||||
|
||||
if ($keepRatio) {
|
||||
@ -307,7 +302,7 @@ class ImageService
|
||||
*/
|
||||
public function getImageData(Image $image): string
|
||||
{
|
||||
$storage = $this->getStorage();
|
||||
$storage = $this->getStorageDisk();
|
||||
|
||||
return $storage->get($this->adjustPathForStorageDisk($image->path, $image->type));
|
||||
}
|
||||
@ -330,7 +325,7 @@ class ImageService
|
||||
protected function destroyImagesFromPath(string $path, string $imageType): bool
|
||||
{
|
||||
$path = $this->adjustPathForStorageDisk($path, $imageType);
|
||||
$storage = $this->getStorage($imageType);
|
||||
$storage = $this->getStorageDisk($imageType);
|
||||
|
||||
$imageFolder = dirname($path);
|
||||
$imageFileName = basename($path);
|
||||
@ -417,7 +412,7 @@ class ImageService
|
||||
}
|
||||
|
||||
$storagePath = $this->adjustPathForStorageDisk($storagePath);
|
||||
$storage = $this->getStorage();
|
||||
$storage = $this->getStorageDisk();
|
||||
$imageData = null;
|
||||
if ($storage->exists($storagePath)) {
|
||||
$imageData = $storage->get($storagePath);
|
||||
@ -435,6 +430,41 @@ class ImageService
|
||||
return 'data:image/' . $extension . ';base64,' . base64_encode($imageData);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the given path exists in the local secure image system.
|
||||
* Returns false if local_secure is not in use.
|
||||
*/
|
||||
public function pathExistsInLocalSecure(string $imagePath): bool
|
||||
{
|
||||
$disk = $this->getStorageDisk('gallery');
|
||||
|
||||
// Check local_secure is active
|
||||
return $this->usingSecureImages()
|
||||
// Check the image file exists
|
||||
&& $disk->exists($imagePath)
|
||||
// Check the file is likely an image file
|
||||
&& strpos($disk->getMimetype($imagePath), 'image/') === 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* For the given path, if existing, provide a response that will stream the image contents.
|
||||
*/
|
||||
public function streamImageFromStorageResponse(string $imageType, string $path): StreamedResponse
|
||||
{
|
||||
$disk = $this->getStorageDisk($imageType);
|
||||
return $disk->response($path);
|
||||
}
|
||||
|
||||
/**
|
||||
* Check if the given image extension is supported by BookStack.
|
||||
* The extension must not be altered in this function. This check should provide a guarantee
|
||||
* that the provided extension is safe to use for the image to be saved.
|
||||
*/
|
||||
public static function isExtensionSupported(string $extension): bool
|
||||
{
|
||||
return in_array($extension, static::$supportedExtensions);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get a storage path for the given image URL.
|
||||
* Ensures the path will start with "uploads/images".
|
||||
@ -476,7 +506,7 @@ class ImageService
|
||||
*/
|
||||
private function getPublicUrl(string $filePath): string
|
||||
{
|
||||
if ($this->storageUrl === null) {
|
||||
if (is_null($this->storageUrl)) {
|
||||
$storageUrl = config('filesystems.url');
|
||||
|
||||
// Get the standard public s3 url if s3 is set as storage type
|
||||
@ -490,6 +520,7 @@ class ImageService
|
||||
$storageUrl = 'https://s3-' . $storageDetails['region'] . '.amazonaws.com/' . $storageDetails['bucket'];
|
||||
}
|
||||
}
|
||||
|
||||
$this->storageUrl = $storageUrl;
|
||||
}
|
||||
|
||||
|
||||
65
app/Util/WebSafeMimeSniffer.php
Normal file
65
app/Util/WebSafeMimeSniffer.php
Normal file
@ -0,0 +1,65 @@
|
||||
<?php
|
||||
|
||||
namespace BookStack\Util;
|
||||
|
||||
use finfo;
|
||||
|
||||
/**
|
||||
* Helper class to sniff out the mime-type of content resulting in
|
||||
* a mime-type that's relatively safe to serve to a browser.
|
||||
*/
|
||||
class WebSafeMimeSniffer
|
||||
{
|
||||
|
||||
/**
|
||||
* @var string[]
|
||||
*/
|
||||
protected $safeMimes = [
|
||||
'application/json',
|
||||
'application/octet-stream',
|
||||
'application/pdf',
|
||||
'image/bmp',
|
||||
'image/jpeg',
|
||||
'image/png',
|
||||
'image/gif',
|
||||
'image/webp',
|
||||
'image/avif',
|
||||
'image/heic',
|
||||
'text/css',
|
||||
'text/csv',
|
||||
'text/javascript',
|
||||
'text/json',
|
||||
'text/plain',
|
||||
'video/x-msvideo',
|
||||
'video/mp4',
|
||||
'video/mpeg',
|
||||
'video/ogg',
|
||||
'video/webm',
|
||||
'video/vp9',
|
||||
'video/h264',
|
||||
'video/av1',
|
||||
];
|
||||
|
||||
/**
|
||||
* Sniff the mime-type from the given file content while running the result
|
||||
* through an allow-list to ensure a web-safe result.
|
||||
* Takes the content as a reference since the value may be quite large.
|
||||
*/
|
||||
public function sniff(string &$content): string
|
||||
{
|
||||
$fInfo = new finfo(FILEINFO_MIME_TYPE);
|
||||
$mime = $fInfo->buffer($content) ?: 'application/octet-stream';
|
||||
|
||||
if (in_array($mime, $this->safeMimes)) {
|
||||
return $mime;
|
||||
}
|
||||
|
||||
[$category] = explode('/', $mime, 2);
|
||||
if ($category === 'text') {
|
||||
return 'text/plain';
|
||||
}
|
||||
|
||||
return 'application/octet-stream';
|
||||
}
|
||||
|
||||
}
|
||||
@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment;
|
||||
use BookStack\Uploads\AttachmentService;
|
||||
use Illuminate\Http\UploadedFile;
|
||||
use Tests\TestCase;
|
||||
use Tests\TestResponse;
|
||||
|
||||
class AttachmentTest extends TestCase
|
||||
{
|
||||
@ -44,6 +45,20 @@ class AttachmentTest extends TestCase
|
||||
return Attachment::query()->latest()->first();
|
||||
}
|
||||
|
||||
/**
|
||||
* Create a new upload attachment from the given data.
|
||||
*/
|
||||
protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment
|
||||
{
|
||||
$file = tmpfile();
|
||||
$filePath = stream_get_meta_data($file)['uri'];
|
||||
file_put_contents($filePath, $content);
|
||||
$upload = new UploadedFile($filePath, $filename, $mimeType, null, true);
|
||||
|
||||
$this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []);
|
||||
return $page->attachments()->latest()->firstOrFail();
|
||||
}
|
||||
|
||||
/**
|
||||
* Delete all uploaded files.
|
||||
* To assist with cleanup.
|
||||
@ -94,7 +109,8 @@ class AttachmentTest extends TestCase
|
||||
|
||||
$attachment = Attachment::query()->orderBy('id', 'desc')->first();
|
||||
$this->assertStringNotContainsString($fileName, $attachment->path);
|
||||
$this->assertStringEndsWith('.txt', $attachment->path);
|
||||
$this->assertStringEndsWith('-txt', $attachment->path);
|
||||
$this->deleteUploads();
|
||||
}
|
||||
|
||||
public function test_file_display_and_access()
|
||||
@ -305,7 +321,24 @@ class AttachmentTest extends TestCase
|
||||
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
|
||||
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
|
||||
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');
|
||||
$attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');
|
||||
|
||||
$this->deleteUploads();
|
||||
}
|
||||
|
||||
public function test_html_file_access_with_open_forces_plain_content_type()
|
||||
{
|
||||
$page = Page::query()->first();
|
||||
$this->asAdmin();
|
||||
|
||||
$attachment = $this->createUploadAttachment($page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');
|
||||
|
||||
$attachmentGet = $this->get($attachment->getUrl(true));
|
||||
// http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
|
||||
$attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
|
||||
$attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');
|
||||
|
||||
$this->deleteUploads();
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
@ -241,6 +241,36 @@ class ImageTest extends TestCase
|
||||
}
|
||||
}
|
||||
|
||||
public function test_secure_image_paths_traversal_causes_500()
|
||||
{
|
||||
config()->set('filesystems.images', 'local_secure');
|
||||
$this->asEditor();
|
||||
|
||||
$resp = $this->get('/uploads/images/../../logs/laravel.log');
|
||||
$resp->assertStatus(500);
|
||||
}
|
||||
|
||||
public function test_secure_image_paths_traversal_on_non_secure_images_causes_404()
|
||||
{
|
||||
config()->set('filesystems.images', 'local');
|
||||
$this->asEditor();
|
||||
|
||||
$resp = $this->get('/uploads/images/../../logs/laravel.log');
|
||||
$resp->assertStatus(404);
|
||||
}
|
||||
|
||||
public function test_secure_image_paths_dont_serve_non_images()
|
||||
{
|
||||
config()->set('filesystems.images', 'local_secure');
|
||||
$this->asEditor();
|
||||
|
||||
$testFilePath = storage_path('/uploads/images/testing.txt');
|
||||
file_put_contents($testFilePath, 'hello from test_secure_image_paths_dont_serve_non_images');
|
||||
|
||||
$resp = $this->get('/uploads/images/testing.txt');
|
||||
$resp->assertStatus(404);
|
||||
}
|
||||
|
||||
public function test_secure_images_included_in_exports()
|
||||
{
|
||||
config()->set('filesystems.images', 'local_secure');
|
||||
|
||||
Loading…
Reference in New Issue
Block a user