summaryrefslogtreecommitdiffstats
path: root/services/context/upload
diff options
context:
space:
mode:
authorDaniel Baumann <daniel@debian.org>2024-10-18 20:33:49 +0200
committerDaniel Baumann <daniel@debian.org>2024-12-12 23:57:56 +0100
commite68b9d00a6e05b3a941f63ffb696f91e554ac5ec (patch)
tree97775d6c13b0f416af55314eb6a89ef792474615 /services/context/upload
parentInitial commit. (diff)
downloadforgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.tar.xz
forgejo-e68b9d00a6e05b3a941f63ffb696f91e554ac5ec.zip
Adding upstream version 9.0.3.
Signed-off-by: Daniel Baumann <daniel@debian.org>
Diffstat (limited to '')
-rw-r--r--services/context/upload/upload.go105
-rw-r--r--services/context/upload/upload_test.go194
2 files changed, 299 insertions, 0 deletions
diff --git a/services/context/upload/upload.go b/services/context/upload/upload.go
new file mode 100644
index 0000000..77a7eb9
--- /dev/null
+++ b/services/context/upload/upload.go
@@ -0,0 +1,105 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package upload
+
+import (
+ "mime"
+ "net/http"
+ "net/url"
+ "path"
+ "regexp"
+ "strings"
+
+ "code.gitea.io/gitea/modules/log"
+ "code.gitea.io/gitea/modules/setting"
+ "code.gitea.io/gitea/services/context"
+)
+
+// ErrFileTypeForbidden not allowed file type error
+type ErrFileTypeForbidden struct {
+ Type string
+}
+
+// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.
+func IsErrFileTypeForbidden(err error) bool {
+ _, ok := err.(ErrFileTypeForbidden)
+ return ok
+}
+
+func (err ErrFileTypeForbidden) Error() string {
+ return "This file extension or type is not allowed to be uploaded."
+}
+
+var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`)
+
+// Verify validates whether a file is allowed to be uploaded.
+func Verify(buf []byte, fileName, allowedTypesStr string) error {
+ allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "|", ",") // compat for old config format
+
+ allowedTypes := []string{}
+ for _, entry := range strings.Split(allowedTypesStr, ",") {
+ entry = strings.ToLower(strings.TrimSpace(entry))
+ if entry != "" {
+ allowedTypes = append(allowedTypes, entry)
+ }
+ }
+
+ if len(allowedTypes) == 0 {
+ return nil // everything is allowed
+ }
+
+ fullMimeType := http.DetectContentType(buf)
+ mimeType, _, err := mime.ParseMediaType(fullMimeType)
+ if err != nil {
+ log.Warn("Detected attachment type could not be parsed %s", fullMimeType)
+ return ErrFileTypeForbidden{Type: fullMimeType}
+ }
+ extension := strings.ToLower(path.Ext(fileName))
+
+ // https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers
+ for _, allowEntry := range allowedTypes {
+ if allowEntry == "*/*" {
+ return nil // everything allowed
+ } else if strings.HasPrefix(allowEntry, ".") && allowEntry == extension {
+ return nil // extension is allowed
+ } else if mimeType == allowEntry {
+ return nil // mime type is allowed
+ } else if wildcardTypeRe.MatchString(allowEntry) && strings.HasPrefix(mimeType, allowEntry[:len(allowEntry)-1]) {
+ return nil // wildcard match, e.g. image/*
+ }
+ }
+
+ log.Info("Attachment with type %s blocked from upload", fullMimeType)
+ return ErrFileTypeForbidden{Type: fullMimeType}
+}
+
+// AddUploadContext renders template values for dropzone
+func AddUploadContext(ctx *context.Context, uploadType string) {
+ if uploadType == "release" {
+ ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
+ ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"
+ ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
+ ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")
+ ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
+ ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
+ } else if uploadType == "comment" {
+ ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
+ ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"
+ if len(ctx.Params(":index")) > 0 {
+ ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.Params(":index")) + "/attachments"
+ } else {
+ ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
+ }
+ ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")
+ ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
+ ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
+ } else if uploadType == "repo" {
+ ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/upload-file"
+ ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/upload-remove"
+ ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/upload-file"
+ ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Upload.AllowedTypes, "|", ",")
+ ctx.Data["UploadMaxFiles"] = setting.Repository.Upload.MaxFiles
+ ctx.Data["UploadMaxSize"] = setting.Repository.Upload.FileMaxSize
+ }
+}
diff --git a/services/context/upload/upload_test.go b/services/context/upload/upload_test.go
new file mode 100644
index 0000000..f2c3242
--- /dev/null
+++ b/services/context/upload/upload_test.go
@@ -0,0 +1,194 @@
+// Copyright 2019 The Gitea Authors. All rights reserved.
+// SPDX-License-Identifier: MIT
+
+package upload
+
+import (
+ "bytes"
+ "compress/gzip"
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+)
+
+func TestUpload(t *testing.T) {
+ testContent := []byte(`This is a plain text file.`)
+ var b bytes.Buffer
+ w := gzip.NewWriter(&b)
+ w.Write(testContent)
+ w.Close()
+
+ kases := []struct {
+ data []byte
+ fileName string
+ allowedTypes string
+ err error
+ }{
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "dir/test.txt",
+ allowedTypes: "",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "../../../test.txt",
+ allowedTypes: "",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: ",",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "|",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "*/*",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "*/*,",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "*/*|",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "text/plain",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "dir/test.txt",
+ allowedTypes: "text/plain",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "/dir.txt/test.js",
+ allowedTypes: ".js",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: " text/plain ",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: ".txt",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: " .txt,.js",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: " .txt|.js",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "../../test.txt",
+ allowedTypes: " .txt|.js",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: " .txt ,.js ",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "text/plain, .txt",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "text/*",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "text/*,.js",
+ err: nil,
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "text/**",
+ err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: "application/x-gzip",
+ err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: ".zip",
+ err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: ".zip,.txtx",
+ err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
+ },
+ {
+ data: testContent,
+ fileName: "test.txt",
+ allowedTypes: ".zip|.txtx",
+ err: ErrFileTypeForbidden{"text/plain; charset=utf-8"},
+ },
+ {
+ data: b.Bytes(),
+ fileName: "test.txt",
+ allowedTypes: "application/x-gzip",
+ err: nil,
+ },
+ }
+
+ for _, kase := range kases {
+ assert.Equal(t, kase.err, Verify(kase.data, kase.fileName, kase.allowedTypes))
+ }
+}