lavender-legacy/gitea
7
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Refactor filetype is not allowed errors (#7309)

Browse source
This commit is contained in:
Antoine GIRARD 2019-07-07 04:25:05 +02:00 committed by techknowlogick
parent 75d4414386
commit f369788347
5 changed files with 61 additions and 46 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
modules/upload/filetype.go Normal file
View file

@ -0,0 +1,49 @@
// Copyright 2019 The Gitea Authors. All rights reserved.
// Use of this source code is governed by a MIT-style
// license that can be found in the LICENSE file.
package upload
import (
"fmt"
"net/http"
"strings"
"code.gitea.io/gitea/modules/log"
)
// ErrFileTypeForbidden not allowed file type error
type ErrFileTypeForbidden struct {
Type string
}
// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.
func IsErrFileTypeForbidden(err error) bool {
_, ok := err.(ErrFileTypeForbidden)
return ok
}
func (err ErrFileTypeForbidden) Error() string {
return fmt.Sprintf("File type is not allowed: %s", err.Type)
}
// VerifyAllowedContentType validates a file is allowed to be uploaded.
func VerifyAllowedContentType(buf []byte, allowedTypes []string) error {
fileType := http.DetectContentType(buf)
allowed := false
for _, t := range allowedTypes {
t := strings.Trim(t, " ")
if t == "*/*" || t == fileType {
allowed = true
break
}
}
if !allowed {
log.Info("Attachment with type %s blocked from upload", fileType)
return ErrFileTypeForbidden{Type: fileType}
}
return nil
}

20
routers/api/v1/repo/release_attachment.go
View file

@ -5,13 +5,12 @@
package repo package repo
import ( import (
"errors"
"net/http"
"strings" "strings"
"code.gitea.io/gitea/models" "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/upload"
api "code.gitea.io/gitea/modules/structs" api "code.gitea.io/gitea/modules/structs"
) )
@ -177,20 +176,9 @@ func CreateReleaseAttachment(ctx *context.APIContext) {
} }
// Check if the filetype is allowed by the settings // Check if the filetype is allowed by the settings
fileType := http.DetectContentType(buf) err = upload.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ","))
if err != nil {
allowedTypes := strings.Split(setting.AttachmentAllowedTypes, ",") ctx.Error(400, "DetectContentType", err)
allowed := false
for _, t := range allowedTypes {
t := strings.Trim(t, " ")
if t == "*/*" || t == fileType {
allowed = true
break
}
}
if !allowed {
ctx.Error(400, "DetectContentType", errors.New("File type is not allowed"))
return return
} }

19
routers/repo/attachment.go
View file

@ -6,13 +6,13 @@ package repo
import ( import (
"fmt" "fmt"
"net/http"
"strings" "strings"
"code.gitea.io/gitea/models" "code.gitea.io/gitea/models"
"code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/context"
"code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/log"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/upload"
) )
func renderAttachmentSettings(ctx *context.Context) { func renderAttachmentSettings(ctx *context.Context) {
@ -42,21 +42,10 @@ func UploadAttachment(ctx *context.Context) {
if n > 0 { if n > 0 {
buf = buf[:n] buf = buf[:n]
} }
fileType := http.DetectContentType(buf)
allowedTypes := strings.Split(setting.AttachmentAllowedTypes, ",") err = upload.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ","))
allowed := false if err != nil {
for _, t := range allowedTypes { ctx.Error(400, err.Error())
t := strings.Trim(t, " ")
if t == "*/*" || t == fileType {
allowed = true
break
}
}
if !allowed {
log.Info("Attachment with type %s blocked from upload", fileType)
ctx.Error(400, ErrFileTypeForbidden.Error())
return return
} }

17
routers/repo/editor.go
View file

@ -7,7 +7,6 @@ package repo
import ( import (
"fmt" "fmt"
"io/ioutil" "io/ioutil"
"net/http"
"path" "path"
"strings" "strings"
@ -20,6 +19,7 @@ import (
"code.gitea.io/gitea/modules/repofiles" "code.gitea.io/gitea/modules/repofiles"
"code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/templates" "code.gitea.io/gitea/modules/templates"
"code.gitea.io/gitea/modules/upload"
"code.gitea.io/gitea/modules/util" "code.gitea.io/gitea/modules/util"
) )
@ -594,20 +594,11 @@ func UploadFileToServer(ctx *context.Context) {
if n > 0 { if n > 0 {
buf = buf[:n] buf = buf[:n]
} }
fileType := http.DetectContentType(buf)
if len(setting.Repository.Upload.AllowedTypes) > 0 { if len(setting.Repository.Upload.AllowedTypes) > 0 {
allowed := false err = upload.VerifyAllowedContentType(buf, setting.Repository.Upload.AllowedTypes)
for _, t := range setting.Repository.Upload.AllowedTypes { if err != nil {
t := strings.Trim(t, " ") ctx.Error(400, err.Error())
if t == "*/*" || t == fileType {
allowed = true
break
}
}
if !allowed {
ctx.Error(400, ErrFileTypeForbidden.Error())
return return
} }
} }

2
routers/repo/issue.go
View file

@ -41,8 +41,6 @@ const (
) )
var ( var (
// ErrFileTypeForbidden not allowed file type error
ErrFileTypeForbidden = errors.New("File type is not allowed")
// ErrTooManyFiles upload too many files // ErrTooManyFiles upload too many files
ErrTooManyFiles = errors.New("Maximum number of files to upload exceeded") ErrTooManyFiles = errors.New("Maximum number of files to upload exceeded")
// IssueTemplateCandidates issue templates // IssueTemplateCandidates issue templates