2020-10-05 01:49:33 -04:00
|
|
|
// Copyright 2019 The Gitea Authors. All rights reserved.
|
2022-11-27 13:20:29 -05:00
|
|
|
// SPDX-License-Identifier: MIT
|
2020-10-05 01:49:33 -04:00
|
|
|
|
|
|
|
package upload
|
|
|
|
|
|
|
|
import (
|
2021-11-27 06:12:43 -05:00
|
|
|
"mime"
|
2020-10-05 01:49:33 -04:00
|
|
|
"net/http"
|
2021-11-16 13:18:25 -05:00
|
|
|
"net/url"
|
2020-10-05 01:49:33 -04:00
|
|
|
"path"
|
|
|
|
"regexp"
|
|
|
|
"strings"
|
|
|
|
|
|
|
|
"code.gitea.io/gitea/modules/log"
|
|
|
|
"code.gitea.io/gitea/modules/setting"
|
2024-02-27 02:12:22 -05:00
|
|
|
"code.gitea.io/gitea/services/context"
|
2020-10-05 01:49:33 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
// ErrFileTypeForbidden not allowed file type error
|
|
|
|
type ErrFileTypeForbidden struct {
|
|
|
|
Type string
|
|
|
|
}
|
|
|
|
|
|
|
|
// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.
|
|
|
|
func IsErrFileTypeForbidden(err error) bool {
|
|
|
|
_, ok := err.(ErrFileTypeForbidden)
|
|
|
|
return ok
|
|
|
|
}
|
|
|
|
|
|
|
|
func (err ErrFileTypeForbidden) Error() string {
|
2024-11-06 16:34:32 -05:00
|
|
|
return "This file cannot be uploaded or modified due to a forbidden file extension or type."
|
2020-10-05 01:49:33 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`)
|
|
|
|
|
2024-11-06 16:34:32 -05:00
|
|
|
// Verify validates whether a file is allowed to be uploaded. If buf is empty, it will just check if the file
|
|
|
|
// has an allowed file extension.
|
2021-12-19 23:41:31 -05:00
|
|
|
func Verify(buf []byte, fileName, allowedTypesStr string) error {
|
2020-10-05 01:49:33 -04:00
|
|
|
allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "|", ",") // compat for old config format
|
|
|
|
|
|
|
|
allowedTypes := []string{}
|
|
|
|
for _, entry := range strings.Split(allowedTypesStr, ",") {
|
|
|
|
entry = strings.ToLower(strings.TrimSpace(entry))
|
|
|
|
if entry != "" {
|
|
|
|
allowedTypes = append(allowedTypes, entry)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if len(allowedTypes) == 0 {
|
|
|
|
return nil // everything is allowed
|
|
|
|
}
|
|
|
|
|
|
|
|
fullMimeType := http.DetectContentType(buf)
|
2021-11-27 06:12:43 -05:00
|
|
|
mimeType, _, err := mime.ParseMediaType(fullMimeType)
|
|
|
|
if err != nil {
|
|
|
|
log.Warn("Detected attachment type could not be parsed %s", fullMimeType)
|
|
|
|
return ErrFileTypeForbidden{Type: fullMimeType}
|
|
|
|
}
|
2020-10-05 01:49:33 -04:00
|
|
|
extension := strings.ToLower(path.Ext(fileName))
|
2024-11-06 16:34:32 -05:00
|
|
|
isBufEmpty := len(buf) <= 1
|
2020-10-05 01:49:33 -04:00
|
|
|
|
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers
|
|
|
|
for _, allowEntry := range allowedTypes {
|
|
|
|
if allowEntry == "*/*" {
|
|
|
|
return nil // everything allowed
|
2024-11-06 16:34:32 -05:00
|
|
|
}
|
|
|
|
if strings.HasPrefix(allowEntry, ".") && allowEntry == extension {
|
2020-10-05 01:49:33 -04:00
|
|
|
return nil // extension is allowed
|
2024-11-06 16:34:32 -05:00
|
|
|
}
|
|
|
|
if isBufEmpty {
|
|
|
|
continue // skip mime type checks if buffer is empty
|
|
|
|
}
|
|
|
|
if mimeType == allowEntry {
|
2020-10-05 01:49:33 -04:00
|
|
|
return nil // mime type is allowed
|
2024-11-06 16:34:32 -05:00
|
|
|
}
|
|
|
|
if wildcardTypeRe.MatchString(allowEntry) && strings.HasPrefix(mimeType, allowEntry[:len(allowEntry)-1]) {
|
2020-10-05 01:49:33 -04:00
|
|
|
return nil // wildcard match, e.g. image/*
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2024-11-06 16:34:32 -05:00
|
|
|
if !isBufEmpty {
|
|
|
|
log.Info("Attachment with type %s blocked from upload", fullMimeType)
|
|
|
|
}
|
|
|
|
|
2020-10-05 01:49:33 -04:00
|
|
|
return ErrFileTypeForbidden{Type: fullMimeType}
|
|
|
|
}
|
|
|
|
|
|
|
|
// AddUploadContext renders template values for dropzone
|
|
|
|
func AddUploadContext(ctx *context.Context, uploadType string) {
|
|
|
|
if uploadType == "release" {
|
|
|
|
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
|
|
|
|
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"
|
2020-10-10 19:49:59 -04:00
|
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
|
2020-10-11 16:27:20 -04:00
|
|
|
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")
|
2020-10-05 01:49:33 -04:00
|
|
|
ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
|
|
|
|
ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
|
|
|
|
} else if uploadType == "comment" {
|
|
|
|
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
|
|
|
|
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"
|
2024-06-18 18:32:45 -04:00
|
|
|
if len(ctx.PathParam(":index")) > 0 {
|
|
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.PathParam(":index")) + "/attachments"
|
2020-10-10 19:49:59 -04:00
|
|
|
} else {
|
|
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
|
|
|
|
}
|
2020-10-11 16:27:20 -04:00
|
|
|
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")
|
2020-10-05 01:49:33 -04:00
|
|
|
ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
|
|
|
|
ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
|
|
|
|
} else if uploadType == "repo" {
|
|
|
|
ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/upload-file"
|
|
|
|
ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/upload-remove"
|
2020-10-10 19:49:59 -04:00
|
|
|
ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/upload-file"
|
2020-10-11 16:27:20 -04:00
|
|
|
ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Upload.AllowedTypes, "|", ",")
|
2020-10-05 01:49:33 -04:00
|
|
|
ctx.Data["UploadMaxFiles"] = setting.Repository.Upload.MaxFiles
|
|
|
|
ctx.Data["UploadMaxSize"] = setting.Repository.Upload.FileMaxSize
|
|
|
|
}
|
|
|
|
}
|