Skip to content

Add the Ability to filter file uploads based on file extensions #6043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Sigmonia merged 8 commits into from
Nov 20, 2024
Merged

Add the Ability to filter file uploads based on file extensions #6043

Sigmonia merged 8 commits into from
Nov 20, 2024

Conversation

@Sigmonia
Copy link
Contributor

@Sigmonia Sigmonia commented Nov 11, 2024
edited
Loading

Rationale

Secure Issue 51524: Allowlist for acceptable types of file upload

Related PRs

Changes

  • updated shared jsps
  • Add allow list
  • and extension checker to file uploads

@Sigmonia Sigmonia self-assigned this Nov 11, 2024
labkey-jeckels
labkey-jeckels requested changes Nov 12, 2024
View reviewed changes
labkey-jeckels
labkey-jeckels requested changes Nov 13, 2024
View reviewed changes
api/src/org/labkey/api/util/FileUtil.java
assertNotNull("Matched unlist extension", checkExtension("my test.notListed", mockProps));
assertNotNull("Combined multiple extension matched incorrectly", checkExtension("multi.a_v.tar", mockProps));
assertNotNull("Multi-multi extension matched unexpectedly", checkExtension("multi.not.tar.gz", mockProps));
assertNotNull("No extension matched unexpectedly", checkExtension("No extension", mockProps));
Copy link
Contributor

@labkey-jeckels labkey-jeckels Nov 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I hadn't considered files with no extension. I guess it's OK to reject them all at this point.

core/src/org/labkey/core/webdav/DavController.java Outdated

if (FileUtil.isAllowedFileName(name) != null)
{
throw new IOException("The file extension is not allowed.");
Copy link
Contributor

@labkey-jeckels labkey-jeckels Nov 13, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This may reject the name unrelated to the exception. Let's use the message this call returns instead of hard-coding the error message

@Sigmonia Sigmonia force-pushed the 24.11_fb_fileExtensions branch from 3a252ce to ef580e1 Compare November 14, 2024 21:21
labkey-matthewb
labkey-matthewb reviewed Nov 14, 2024
View reviewed changes
api/src/org/labkey/api/util/FileUtil.java
if (appProps.getAllowedExtensions().isEmpty())
return null;

if (extensionChecker == null)
Copy link
Contributor

@labkey-matthewb labkey-matthewb Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When does this get cleared? It seems very sticky.

Copy link
Contributor Author

@Sigmonia Sigmonia Nov 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It only gets changed in setExtensionChecker which is called when the WritableAppProps.setAllowedFileExtensions is called when the new Allow List prop is saved or when the server is starting up

Copy link
Contributor

@labkey-matthewb labkey-matthewb Nov 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see. The pattern confused me. I would have expected a getExtensionCheck() that wrapped the null check.

@labkey-matthewb
Copy link
Contributor

labkey-matthewb commented Nov 14, 2024

Do we want to allow folder names to have "." in them? Disallowing doesn't seem to be related to the original goal of the feature.

labkey-matthewb
labkey-matthewb requested changes Nov 14, 2024
View reviewed changes
core/src/org/labkey/core/webdav/DavController.java Outdated
String notAllowedMsg = FileUtil.isAllowedFileName(name);
if (StringUtils.isNotBlank(notAllowedMsg))
{
throw new IOException(notAllowedMsg);
Copy link
Contributor

@labkey-matthewb labkey-matthewb Nov 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

throw DavException in the dav controller to get the file browser to display an expected UI. Maybe use 409 SC_CONFLICT? or 406 (SC_NOT_ACCEPTABLE)

@Sigmonia
Add the ability to limit file uploads based on the file extension
1512955
@Sigmonia
Add unit test
cf9a1fd 
- fix regex quoting
- modified checker methods to be testable

adjusted description text
@Sigmonia
Make call from
64b73c1
@Sigmonia
CR feedback 2
8d3b7e0 
- Move isInvalidFilenameBlocked check
- Subclass Multipart Resolver so we can more easily check the file extension
- fix typos and messaging
@Sigmonia
rolling this back
141a619
@Sigmonia
Throwing a DevException to improve the error shown to the User
5b0edeb
@Sigmonia
Don't check extensions for directories
a16e134 
Updated error message read the text passed
@Sigmonia
fix the unit test
b8ea9af
@Sigmonia Sigmonia force-pushed the 24.11_fb_fileExtensions branch from 5bd71ea to b8ea9af Compare November 19, 2024 22:21
@Sigmonia Sigmonia merged commit f8c2495 into release24.11-SNAPSHOT Nov 20, 2024
2 of 10 checks passed
@Sigmonia Sigmonia deleted the 24.11_fb_fileExtensions branch November 20, 2024 00:07
@labkey-adam labkey-adam mentioned this pull request Nov 21, 2024
Merged
@labkey-klum labkey-klum mentioned this pull request Mar 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@labkey-jeckels labkey-jeckels labkey-jeckels approved these changes

@labkey-matthewb labkey-matthewb labkey-matthewb approved these changes

@labkey-adam labkey-adam Awaiting requested review from labkey-adam

Assignees

@Sigmonia Sigmonia

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Sigmonia @labkey-matthewb @labkey-jeckels