Skip to content

Add the Ability to filter file uploads based on file extensions #6043

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Sigmonia merged 8 commits into from
Nov 20, 2024
Merged

Add the Ability to filter file uploads based on file extensions #6043

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1512955
Add the ability to limit file uploads based on the file extension
Sigmonia Nov 11, 2024
cf9a1fd
Add unit test
Sigmonia Nov 12, 2024
64b73c1
Make call from
Sigmonia Nov 12, 2024
8d3b7e0
CR feedback 2
Sigmonia Nov 14, 2024
141a619
rolling this back
Sigmonia Nov 14, 2024
5b0edeb
Throwing a DevException to improve the error shown to the User
Sigmonia Nov 15, 2024
a16e134
Don't check extensions for directories
Sigmonia Nov 15, 2024
b8ea9af
fix the unit test
Sigmonia Nov 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions api/src/org/labkey/api/premium/AntiVirusProviderRegistry.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,6 @@ static void setInstance(AntiVirusProviderRegistry impl)

default StandardServletMultipartResolver getMultipartResolver(ViewBackgroundInfo info)
{
return new StandardServletMultipartResolver();
return new DefaultAVMultipartResolver();
}
}
}
43 changes: 43 additions & 0 deletions api/src/org/labkey/api/premium/DefaultAVMultipartResolver.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
package org.labkey.api.premium;

import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.Part;
import org.jetbrains.annotations.NotNull;
import org.labkey.api.util.FileUtil;
import org.springframework.web.multipart.MultipartException;
import org.springframework.web.multipart.MultipartHttpServletRequest;
import org.springframework.web.multipart.support.StandardMultipartHttpServletRequest;
import org.springframework.web.multipart.support.StandardServletMultipartResolver;

import java.io.IOException;

public class DefaultAVMultipartResolver extends StandardServletMultipartResolver
{
@Override
public @NotNull MultipartHttpServletRequest resolveMultipart(HttpServletRequest request) throws MultipartException
{
try
{
for (Part part : request.getParts())
{
// Filter to just file uploads
if (part.getSubmittedFileName() != null)
{
FileUtil.checkAllowedFileName(part.getSubmittedFileName(), true);
validate(part);
}
}
}
catch (IOException | ServletException e)
{
throw new MultipartException("Couldn't get uploaded files", e);
}
return new StandardMultipartHttpServletRequest(request, false);
}

protected void validate(Part part)
{
//do nothing by default, but give subclasses a chance to override
}
}
2 changes: 2 additions & 0 deletions api/src/org/labkey/api/settings/AppProps.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -255,4 +255,6 @@ static WriteableAppProps getWriteableInstance()
@NotNull String getDistributionFilename();

@NotNull Set<SupportedDatabase> getDistributionSupportedDatabases();

@NotNull List<String> getAllowedExtensions();
}
7 changes: 7 additions & 0 deletions api/src/org/labkey/api/settings/AppPropsImpl.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -661,6 +661,13 @@ public List<String> getExternalSourceHosts()
return getExternalHosts(externalSourceHostURLs);
}

@Override
@NotNull
public List<String> getAllowedExtensions()
{
return getExternalHosts(allowedFileExtensions);
}

private List<String> getExternalHosts(RandomStartupProperties propName)
{
String urls = lookupStringValue(propName, "");
Expand Down
8 changes: 8 additions & 0 deletions api/src/org/labkey/api/settings/RandomStartupProperties.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ public void setValue(WriteableAppProps writeable, String value)
writeable.setExternalSourceHosts(Arrays.asList(StringUtils.split(value, AppPropsImpl.EXTERNAL_HOST_DELIMITER)));
}
},
allowedFileExtensions("Allowed file extensions")
{
@Override
public void setValue(WriteableAppProps writeable, String value)
{
writeable.setAllowedFileExtensions(Arrays.asList(StringUtils.split(value, AppPropsImpl.EXTERNAL_HOST_DELIMITER)));
}
},
fileUploadDisabled("Disable file upload")
{
@Override
Expand Down
7 changes: 7 additions & 0 deletions api/src/org/labkey/api/settings/WriteableAppProps.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@
import org.labkey.api.data.Container;
import org.labkey.api.security.User;
import org.labkey.api.util.ExceptionReportingLevel;
import org.labkey.api.util.FileUtil;
import org.labkey.api.util.UsageReportingLevel;
import org.labkey.api.view.NavTreeManager;

Expand Down Expand Up @@ -235,4 +236,10 @@ private void setExternalHosts(RandomStartupProperties propName, @NotNull Collect
{
storeStringValue(propName, String.join(EXTERNAL_HOST_DELIMITER, externalSourceHosts));
}

public void setAllowedFileExtensions(Collection<String> allowedFileExtensions)
{
setExternalHosts(RandomStartupProperties.allowedFileExtensions, allowedFileExtensions);
FileUtil.setExtensionChecker(AppProps.getInstance());
}
}
Loading