feat(uploads): improve upload validation

provide more descriptive errors
PlaceOS · Sep 7, 2023 · 7f4a3f2 · 7f4a3f2
1 parent a599702
commit 7f4a3f2
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 11 deletions.
diff --git a/shard.lock b/shard.lock
@@ -255,15 +255,15 @@ shards:
 
   placeos-frontend-loader:
     git: https://github.com/placeos/frontend-loader.git
-    version: 2.7.1+git.commit.7ba696750e3876082b39476e0c399ce3890f8669
+    version: 2.7.1+git.commit.352a520740fe85d9517e41325e883a8edf104b2b
 
   placeos-log-backend:
     git: https://github.com/place-labs/log-backend.git
     version: 0.11.4
 
   placeos-models:
     git: https://github.com/placeos/models.git
-    version: 9.17.3
+    version: 9.18.0
 
   placeos-resource:
     git: https://github.com/place-labs/resource.git

diff --git a/spec/controllers/uploads_spec.cr b/spec/controllers/uploads_spec.cr
@@ -29,8 +29,8 @@ module PlaceOS::Api
 
       resp = client.get("#{Uploads.base_route}/new?#{params}",
         headers: Spec::Authentication.headers)
-      resp.status_code.should eq(401)
-      JSON.parse(resp.body).as_h["error"].as_s.should eq("File extension not allowed")
+      resp.status_code.should eq(400)
+      JSON.parse(resp.body).as_h["error"].as_s.should eq("filename extension not allowed")
     end
 
     it "should handle storage allowed list on post call" do
@@ -47,8 +47,8 @@ module PlaceOS::Api
       resp = client.post(Uploads.base_route,
         body: params.to_json,
         headers: Spec::Authentication.headers)
-      resp.status_code.should eq(401)
-      JSON.parse(resp.body).as_h["error"].as_s.should eq("File extension not allowed")
+      resp.status_code.should eq(400)
+      JSON.parse(resp.body).as_h["error"].as_s.should eq("filename extension not allowed")
     end
 
     it "post should return the pre-signed signature" do

diff --git a/src/placeos-rest-api/controllers/uploads.cr b/src/placeos-rest-api/controllers/uploads.cr
@@ -288,13 +288,34 @@ module PlaceOS::Api
     end
 
     def allowed?(file_name, file_mime)
-      storage.check_file_ext(File.extname(file_name))
+      if !Model::Upload.safe_filename?(file_name)
+        raise AC::Route::Param::ValueError.new(
+          "filename contains unsupported characters or words",
+          "file_name"
+        )
+      end
+
+      begin
+        storage.check_file_ext(File.extname(file_name))
+      rescue error : PlaceOS::Model::Error
+        raise AC::Route::Param::ValueError.new(
+          "filename extension not allowed",
+          "file_name",
+          storage.ext_filter.join(",")
+        )
+      end
+
       if mime = file_mime
-        storage.check_file_mime(mime)
+        begin
+          storage.check_file_mime(mime)
+        rescue error : PlaceOS::Model::Error
+          raise AC::Route::Param::ValueError.new(
+            "mime type not supported",
+            "file_mime",
+            storage.mime_filter.join(",")
+          )
+        end
       end
-    rescue ex : PlaceOS::Model::Error
-      Log.error(exception: ex) { {file_name: file_name, mime_type: file_mime} }
-      raise Error::Unauthorized.new(ex.message || "Invalid file extension or mime type")
     end
   end
 end