Skip to content

Commit

Permalink
fix(security): file extension should not contain special characters
Browse files Browse the repository at this point in the history
  • Loading branch information
@streamtw
streamtw committed Aug 9, 2024
1 parent 78c8f26 commit 8170760
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 0 deletions.
11 changes: 11 additions & 0 deletions src/Exceptions/InvalidExtensionException.php
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
<?php

namespace UniSharp\LaravelFilemanager\Exceptions;

class InvalidExtensionException extends \Exception
{
public function __construct()
{
$this->message = 'File extension is not valid.';
}
}
12 changes: 12 additions & 0 deletions src/LfmUploadValidator.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
use UniSharp\LaravelFilemanager\Exceptions\FileFailedToUploadException;
use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedConfigurationMaximumException;
use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedIniMaximumException;
use UniSharp\LaravelFilemanager\Exceptions\InvalidExtensionException;
use UniSharp\LaravelFilemanager\Exceptions\InvalidMimeTypeException;
use UniSharp\LaravelFilemanager\LfmPath;

Expand Down Expand Up @@ -94,6 +95,17 @@ public function mimeTypeIsValid($available_mime_types)
return $this;
}

public function extensionIsValid()
{
$extension = strtolower($this->file->getClientOriginalExtension());

if (preg_match('/[^a-zA-Z0-9]/', $extension) > 0) {
throw new InvalidExtensionException();
}

return $this;
}

public function sizeIsLowerThanConfiguredMaximum($max_size_in_kb)
{
// size to kb unit is needed
Expand Down
13 changes: 13 additions & 0 deletions tests/LfmUploadValidatorTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
use UniSharp\LaravelFilemanager\Exceptions\FileFailedToUploadException;
use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedConfigurationMaximumException;
use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedIniMaximumException;
use UniSharp\LaravelFilemanager\Exceptions\InvalidExtensionException;
use UniSharp\LaravelFilemanager\Exceptions\InvalidMimeTypeException;
use UniSharp\LaravelFilemanager\LfmPath;
use UniSharp\LaravelFilemanager\LfmUploadValidator;
Expand Down Expand Up @@ -167,6 +168,18 @@ public function testFailsExtensionIsNotExcutableWithExtensionNotLowerCase()
$validator->extensionIsNotExcutable(['php', 'html']);
}

public function testFailsExtensionIsValidWithSpecialCharacters()
{
$uploaded_file = m::mock(UploadedFile::class);
$uploaded_file->shouldReceive('getClientOriginalExtension')->andReturn('html@');

$validator = new LfmUploadValidator($uploaded_file);

$this->expectException(InvalidExtensionException::class);

$validator->extensionIsValid();
}

public function testPassesSizeIsLowerThanConfiguredMaximum()
{
$uploaded_file = m::mock(UploadedFile::class);
Expand Down

0 comments on commit 8170760

Please sign in to comment.