fix: force download of unsafe extensions

2021-12-24 20:18:12 -05:00
parent 57b56d3a5b
commit 79bdd44093
6 changed files with 33 additions and 2 deletions
--- a/server/app/data.yml
+++ b/server/app/data.yml
@@ -81,6 +81,7 @@ defaults:
      maxFileSize: 5242880
      maxFiles: 10
      scanSVG: true
+      forceDownload: true
    flags:
      ldapdebug: false
      sqllog: false
--- a/server/graph/resolvers/site.js
+++ b/server/graph/resolvers/site.js
@@ -30,7 +30,8 @@ module.exports = {
        authJwtRenewablePeriod: WIKI.config.auth.tokenRenewal,
        uploadMaxFileSize: WIKI.config.uploads.maxFileSize,
        uploadMaxFiles: WIKI.config.uploads.maxFiles,
-        uploadScanSVG: WIKI.config.uploads.scanSVG
+        uploadScanSVG: WIKI.config.uploads.scanSVG,
+        uploadForceDownload: WIKI.config.uploads.forceDownload
      }
    }
  },
@@ -99,7 +100,8 @@ module.exports = {
        WIKI.config.uploads = {
          maxFileSize: _.get(args, 'uploadMaxFileSize', WIKI.config.uploads.maxFileSize),
          maxFiles: _.get(args, 'uploadMaxFiles', WIKI.config.uploads.maxFiles),
-          scanSVG: _.get(args, 'uploadScanSVG', WIKI.config.uploads.scanSVG)
+          scanSVG: _.get(args, 'uploadScanSVG', WIKI.config.uploads.scanSVG),
+          forceDownload: _.get(args, 'uploadForceDownload', WIKI.config.uploads.forceDownload)
        }

        await WIKI.configSvc.saveToDb(['host', 'title', 'company', 'contentLicense', 'seo', 'logoUrl', 'auth', 'features', 'security', 'uploads'])
--- a/server/graph/schemas/site.graphql
+++ b/server/graph/schemas/site.graphql
@@ -55,6 +55,7 @@ type SiteMutation {
    uploadMaxFileSize: Int
    uploadMaxFiles: Int
    uploadScanSVG: Boolean
+    uploadForceDownload: Boolean

  ): DefaultResponse @auth(requires: ["manage:system"])
 }
@@ -95,4 +96,5 @@ type SiteConfig {
  uploadMaxFileSize: Int
  uploadMaxFiles: Int
  uploadScanSVG: Boolean
+  uploadForceDownload: Boolean
 }
--- a/server/helpers/asset.js
+++ b/server/helpers/asset.js
@@ -1,4 +1,5 @@
 const crypto = require('crypto')
+const path = require('path')

 module.exports = {
  /**
@@ -6,5 +7,9 @@ module.exports = {
   */
  generateHash(assetPath) {
    return crypto.createHash('sha1').update(assetPath).digest('hex')
+  },
+
+  getPathInfo(assetPath) {
+    return path.parse(assetPath.toLowerCase())
  }
 }
--- a/server/models/assets.js
+++ b/server/models/assets.js
@@ -168,8 +168,15 @@ module.exports = class Asset extends Model {

  static async getAsset(assetPath, res) {
    try {
+      const fileInfo = assetHelper.getPathInfo(assetPath)
      const fileHash = assetHelper.generateHash(assetPath)
      const cachePath = path.resolve(WIKI.ROOTPATH, WIKI.config.dataPath, `cache/${fileHash}.dat`)
+
+      // Force unsafe extensions to download
+      if (WIKI.config.uploads.forceDownload && !['.png', '.apng', '.jpg', '.jpeg', '.gif', '.bmp', '.webp', '.svg'].includes(fileInfo.ext)) {
+        res.set('Content-disposition', 'attachment; filename=' + fileInfo.base)
+      }
+
      if (await WIKI.models.assets.getAssetFromCache(assetPath, cachePath, res)) {
        return
      }