diff --git a/shard.lock b/shard.lock index 0c65b18e..a8586ed5 100644 --- a/shard.lock +++ b/shard.lock @@ -255,7 +255,7 @@ shards: placeos-frontend-loader: git: https://github.com/placeos/frontend-loader.git - version: 2.7.1+git.commit.7ba696750e3876082b39476e0c399ce3890f8669 + version: 2.7.1+git.commit.352a520740fe85d9517e41325e883a8edf104b2b placeos-log-backend: git: https://github.com/place-labs/log-backend.git @@ -263,7 +263,7 @@ shards: placeos-models: git: https://github.com/placeos/models.git - version: 9.17.3 + version: 9.18.0 placeos-resource: git: https://github.com/place-labs/resource.git diff --git a/spec/controllers/uploads_spec.cr b/spec/controllers/uploads_spec.cr index 2726df38..4299c9bc 100644 --- a/spec/controllers/uploads_spec.cr +++ b/spec/controllers/uploads_spec.cr @@ -29,8 +29,8 @@ module PlaceOS::Api resp = client.get("#{Uploads.base_route}/new?#{params}", headers: Spec::Authentication.headers) - resp.status_code.should eq(401) - JSON.parse(resp.body).as_h["error"].as_s.should eq("File extension not allowed") + resp.status_code.should eq(400) + JSON.parse(resp.body).as_h["error"].as_s.should eq("filename extension not allowed") end it "should handle storage allowed list on post call" do @@ -47,8 +47,8 @@ module PlaceOS::Api resp = client.post(Uploads.base_route, body: params.to_json, headers: Spec::Authentication.headers) - resp.status_code.should eq(401) - JSON.parse(resp.body).as_h["error"].as_s.should eq("File extension not allowed") + resp.status_code.should eq(400) + JSON.parse(resp.body).as_h["error"].as_s.should eq("filename extension not allowed") end it "post should return the pre-signed signature" do diff --git a/src/placeos-rest-api/controllers/uploads.cr b/src/placeos-rest-api/controllers/uploads.cr index 6a9ce2b0..8ee84a62 100644 --- a/src/placeos-rest-api/controllers/uploads.cr +++ b/src/placeos-rest-api/controllers/uploads.cr @@ -288,13 +288,34 @@ module PlaceOS::Api end def allowed?(file_name, file_mime) - storage.check_file_ext(File.extname(file_name)) + if !Model::Upload.safe_filename?(file_name) + raise AC::Route::Param::ValueError.new( + "filename contains unsupported characters or words", + "file_name" + ) + end + + begin + storage.check_file_ext(File.extname(file_name)) + rescue error : PlaceOS::Model::Error + raise AC::Route::Param::ValueError.new( + "filename extension not allowed", + "file_name", + storage.ext_filter.join(",") + ) + end + if mime = file_mime - storage.check_file_mime(mime) + begin + storage.check_file_mime(mime) + rescue error : PlaceOS::Model::Error + raise AC::Route::Param::ValueError.new( + "mime type not supported", + "file_mime", + storage.mime_filter.join(",") + ) + end end - rescue ex : PlaceOS::Model::Error - Log.error(exception: ex) { {file_name: file_name, mime_type: file_mime} } - raise Error::Unauthorized.new(ex.message || "Invalid file extension or mime type") end end end