From 8170760c0ae316d77b9363cd4c76ab68d3f63f0b Mon Sep 17 00:00:00 2001
From: Stream <streamtw.one@gmail.com>
Date: Fri, 9 Aug 2024 21:52:16 +0800
Subject: [PATCH] fix(security): file extension should not contain special
 characters

---
 src/Exceptions/InvalidExtensionException.php | 11 +++++++++++
 src/LfmUploadValidator.php                   | 12 ++++++++++++
 tests/LfmUploadValidatorTest.php             | 13 +++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 src/Exceptions/InvalidExtensionException.php

diff --git a/src/Exceptions/InvalidExtensionException.php b/src/Exceptions/InvalidExtensionException.php
new file mode 100644
index 00000000..4f9ac26f
--- /dev/null
+++ b/src/Exceptions/InvalidExtensionException.php
@@ -0,0 +1,11 @@
+<?php
+
+namespace UniSharp\LaravelFilemanager\Exceptions;
+
+class InvalidExtensionException extends \Exception
+{
+    public function __construct()
+    {
+        $this->message = 'File extension is not valid.';
+    }
+}
diff --git a/src/LfmUploadValidator.php b/src/LfmUploadValidator.php
index fd1e24ed..77055414 100644
--- a/src/LfmUploadValidator.php
+++ b/src/LfmUploadValidator.php
@@ -9,6 +9,7 @@
 use UniSharp\LaravelFilemanager\Exceptions\FileFailedToUploadException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedConfigurationMaximumException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedIniMaximumException;
+use UniSharp\LaravelFilemanager\Exceptions\InvalidExtensionException;
 use UniSharp\LaravelFilemanager\Exceptions\InvalidMimeTypeException;
 use UniSharp\LaravelFilemanager\LfmPath;
 
@@ -94,6 +95,17 @@ public function mimeTypeIsValid($available_mime_types)
         return $this;
     }
 
+    public function extensionIsValid()
+    {
+        $extension = strtolower($this->file->getClientOriginalExtension());
+
+        if (preg_match('/[^a-zA-Z0-9]/', $extension) > 0) {
+            throw new InvalidExtensionException();
+        }
+
+        return $this;
+    }
+
     public function sizeIsLowerThanConfiguredMaximum($max_size_in_kb)
     {
         // size to kb unit is needed
diff --git a/tests/LfmUploadValidatorTest.php b/tests/LfmUploadValidatorTest.php
index a74f9ca3..95940010 100644
--- a/tests/LfmUploadValidatorTest.php
+++ b/tests/LfmUploadValidatorTest.php
@@ -9,6 +9,7 @@
 use UniSharp\LaravelFilemanager\Exceptions\FileFailedToUploadException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedConfigurationMaximumException;
 use UniSharp\LaravelFilemanager\Exceptions\FileSizeExceedIniMaximumException;
+use UniSharp\LaravelFilemanager\Exceptions\InvalidExtensionException;
 use UniSharp\LaravelFilemanager\Exceptions\InvalidMimeTypeException;
 use UniSharp\LaravelFilemanager\LfmPath;
 use UniSharp\LaravelFilemanager\LfmUploadValidator;
@@ -167,6 +168,18 @@ public function testFailsExtensionIsNotExcutableWithExtensionNotLowerCase()
         $validator->extensionIsNotExcutable(['php', 'html']);
     }
 
+    public function testFailsExtensionIsValidWithSpecialCharacters()
+    {
+        $uploaded_file = m::mock(UploadedFile::class);
+        $uploaded_file->shouldReceive('getClientOriginalExtension')->andReturn('html@');
+
+        $validator = new LfmUploadValidator($uploaded_file);
+
+        $this->expectException(InvalidExtensionException::class);
+
+        $validator->extensionIsValid();
+    }
+
     public function testPassesSizeIsLowerThanConfiguredMaximum()
     {
         $uploaded_file = m::mock(UploadedFile::class);