forgejo/modules/upload/upload.go

// Copyright 2019 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT

package upload

import (
	"mime"
	"net/http"
	"net/url"
	"path"
	"regexp"
	"strings"

	"code.gitea.io/gitea/modules/context"
	"code.gitea.io/gitea/modules/log"
	"code.gitea.io/gitea/modules/setting"
)

// ErrFileTypeForbidden not allowed file type error
type ErrFileTypeForbidden struct {
	Type string
}

// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.
func IsErrFileTypeForbidden(err error) bool {
	_, ok := err.(ErrFileTypeForbidden)
	return ok
}

func (err ErrFileTypeForbidden) Error() string {
	return "This file extension or type is not allowed to be uploaded."
}

var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`)

// Verify validates whether a file is allowed to be uploaded.
func Verify(buf []byte, fileName, allowedTypesStr string) error {
	allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "|", ",") // compat for old config format

	allowedTypes := []string{}
	for _, entry := range strings.Split(allowedTypesStr, ",") {
		entry = strings.ToLower(strings.TrimSpace(entry))
		if entry != "" {
			allowedTypes = append(allowedTypes, entry)
		}
	}

	if len(allowedTypes) == 0 {
		return nil // everything is allowed
	}

	fullMimeType := http.DetectContentType(buf)
	mimeType, _, err := mime.ParseMediaType(fullMimeType)
	if err != nil {
		log.Warn("Detected attachment type could not be parsed %s", fullMimeType)
		return ErrFileTypeForbidden{Type: fullMimeType}
	}
	extension := strings.ToLower(path.Ext(fileName))

	// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers
	for _, allowEntry := range allowedTypes {
		if allowEntry == "*/*" {
			return nil // everything allowed
		} else if strings.HasPrefix(allowEntry, ".") && allowEntry == extension {
			return nil // extension is allowed
		} else if mimeType == allowEntry {
			return nil // mime type is allowed
		} else if wildcardTypeRe.MatchString(allowEntry) && strings.HasPrefix(mimeType, allowEntry[:len(allowEntry)-1]) {
			return nil // wildcard match, e.g. image/*
		}
	}

	log.Info("Attachment with type %s blocked from upload", fullMimeType)
	return ErrFileTypeForbidden{Type: fullMimeType}
}

// AddUploadContext renders template values for dropzone
func AddUploadContext(ctx *context.Context, uploadType string) {
	if uploadType == "release" {
		ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
		ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"
		ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"
		ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "|", ",")
		ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
		ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
	} else if uploadType == "comment" {
		ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
		ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"
		if len(ctx.Params(":index")) > 0 {
			ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.Params(":index")) + "/attachments"
		} else {
			ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"
		}
		ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "|", ",")
		ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles
		ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize
	} else if uploadType == "repo" {
		ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/upload-file"
		ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/upload-remove"
		ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/upload-file"
		ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Upload.AllowedTypes, "|", ",")
		ctx.Data["UploadMaxFiles"] = setting.Repository.Upload.MaxFiles
		ctx.Data["UploadMaxSize"] = setting.Repository.Upload.FileMaxSize
	}
}
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`// Copyright 2019 The Gitea Authors. All rights reserved.`
Implement FSFE REUSE for golang files (#21840) Change all license headers to comply with REUSE specification. Fix #16132 Co-authored-by: flynnnnnnnnnn <flynnnnnnnnnn@github> Co-authored-by: John Olheiser <john.olheiser@gmail.com> 2022-11-27 18:20:29 +00:00			`// SPDX-License-Identifier: MIT`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00
			`package upload`

			`import (`
Replace regex usage for MIME parsing (#17831) MIME types can have multiple optional parameters, eg: video/webm; codecs="w/e codec"; charset="binary" This commit replaces the usage of regex for getting the "type/subtype" with mime.ParseMediaType. 2021-11-27 11:12:43 +00:00			`"mime"`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`"net/http"`
Multiple Escaping Improvements (#17551) There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this. This is an extensive PR attempting to fix these issues. 1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping. 2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand. 3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future. 4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.) 5. The title generation in feeds is now properly escaped. 6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-11-16 18:18:25 +00:00			`"net/url"`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`"path"`
			`"regexp"`
			`"strings"`

			`"code.gitea.io/gitea/modules/context"`
			`"code.gitea.io/gitea/modules/log"`
			`"code.gitea.io/gitea/modules/setting"`
			`)`

			`// ErrFileTypeForbidden not allowed file type error`
			`type ErrFileTypeForbidden struct {`
			`Type string`
			`}`

			`// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden.`
			`func IsErrFileTypeForbidden(err error) bool {`
			`_, ok := err.(ErrFileTypeForbidden)`
			`return ok`
			`}`

			`func (err ErrFileTypeForbidden) Error() string {`
			`return "This file extension or type is not allowed to be uploaded."`
			`}`

			var wildcardTypeRe = regexp.MustCompile(`^[a-z]+/\*$`)

			`// Verify validates whether a file is allowed to be uploaded.`
Simplify parameter types (#18006) Remove repeated type declarations in function definitions. 2021-12-20 04:41:31 +00:00			`func Verify(buf []byte, fileName, allowedTypesStr string) error {`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`allowedTypesStr = strings.ReplaceAll(allowedTypesStr, "\|", ",") // compat for old config format`

			`allowedTypes := []string{}`
			`for _, entry := range strings.Split(allowedTypesStr, ",") {`
			`entry = strings.ToLower(strings.TrimSpace(entry))`
			`if entry != "" {`
			`allowedTypes = append(allowedTypes, entry)`
			`}`
			`}`

			`if len(allowedTypes) == 0 {`
			`return nil // everything is allowed`
			`}`

			`fullMimeType := http.DetectContentType(buf)`
Replace regex usage for MIME parsing (#17831) MIME types can have multiple optional parameters, eg: video/webm; codecs="w/e codec"; charset="binary" This commit replaces the usage of regex for getting the "type/subtype" with mime.ParseMediaType. 2021-11-27 11:12:43 +00:00			`mimeType, _, err := mime.ParseMediaType(fullMimeType)`
			`if err != nil {`
			`log.Warn("Detected attachment type could not be parsed %s", fullMimeType)`
			`return ErrFileTypeForbidden{Type: fullMimeType}`
			`}`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`extension := strings.ToLower(path.Ext(fileName))`

			`// https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers`
			`for _, allowEntry := range allowedTypes {`
			`if allowEntry == "/" {`
			`return nil // everything allowed`
			`} else if strings.HasPrefix(allowEntry, ".") && allowEntry == extension {`
			`return nil // extension is allowed`
			`} else if mimeType == allowEntry {`
			`return nil // mime type is allowed`
			`} else if wildcardTypeRe.MatchString(allowEntry) && strings.HasPrefix(mimeType, allowEntry[:len(allowEntry)-1]) {`
			`return nil // wildcard match, e.g. image/*`
			`}`
			`}`

			`log.Info("Attachment with type %s blocked from upload", fullMimeType)`
			`return ErrFileTypeForbidden{Type: fullMimeType}`
			`}`

			`// AddUploadContext renders template values for dropzone`
			`func AddUploadContext(ctx *context.Context, uploadType string) {`
			`if uploadType == "release" {`
			`ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/releases/attachments"`
			`ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/releases/attachments/remove"`
Fix attachments list in edit comment (#13036) #11141 broke the appearance of dropzone attachments when editting comments causing poorly updating lists. This PR fixes this. Fix #12583 Signed-off-by: Andrew Thornton art27@cantab.net 2020-10-10 23:49:59 +00:00			`ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/releases/attachments"`
Update golangci-lint to version 1.31.0 (#13102) This PR updates golangci-lint to the latest version 1.31.0. The upgrade introduced a new check for which I've fixed or disabled most cases. Signed-off-by: kolaente <k@knt.li> 2020-10-11 20:27:20 +00:00			`ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Release.AllowedTypes, "\|", ",")`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles`
			`ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize`
			`} else if uploadType == "comment" {`
			`ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/issues/attachments"`
			`ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/issues/attachments/remove"`
Fix attachments list in edit comment (#13036) #11141 broke the appearance of dropzone attachments when editting comments causing poorly updating lists. This PR fixes this. Fix #12583 Signed-off-by: Andrew Thornton art27@cantab.net 2020-10-10 23:49:59 +00:00			`if len(ctx.Params(":index")) > 0 {`
Multiple Escaping Improvements (#17551) There are multiple places where Gitea does not properly escape URLs that it is building and there are multiple places where it builds urls when there is already a simpler function available to use this. This is an extensive PR attempting to fix these issues. 1. The first commit in this PR looks through all href, src and links in the Gitea codebase and has attempted to catch all the places where there is potentially incomplete escaping. 2. Whilst doing this we will prefer to use functions that create URLs over recreating them by hand. 3. All uses of strings should be directly escaped - even if they are not currently expected to contain escaping characters. The main benefit to doing this will be that we can consider relaxing the constraints on user names and reponames in future. 4. The next commit looks at escaping in the wiki and re-considers the urls that are used there. Using the improved escaping here wiki files containing '/'. (This implementation will currently still place all of the wiki files the root directory of the repo but this would not be difficult to change.) 5. The title generation in feeds is now properly escaped. 6. EscapePound is no longer needed - urls should be PathEscaped / QueryEscaped as necessary but then re-escaped with Escape when creating html with locales Signed-off-by: Andrew Thornton <art27@cantab.net> Signed-off-by: Andrew Thornton <art27@cantab.net> 2021-11-16 18:18:25 +00:00			`ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/" + url.PathEscape(ctx.Params(":index")) + "/attachments"`
Fix attachments list in edit comment (#13036) #11141 broke the appearance of dropzone attachments when editting comments causing poorly updating lists. This PR fixes this. Fix #12583 Signed-off-by: Andrew Thornton art27@cantab.net 2020-10-10 23:49:59 +00:00			`} else {`
			`ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/issues/attachments"`
			`}`
Update golangci-lint to version 1.31.0 (#13102) This PR updates golangci-lint to the latest version 1.31.0. The upgrade introduced a new check for which I've fixed or disabled most cases. Signed-off-by: kolaente <k@knt.li> 2020-10-11 20:27:20 +00:00			`ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Attachment.AllowedTypes, "\|", ",")`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`ctx.Data["UploadMaxFiles"] = setting.Attachment.MaxFiles`
			`ctx.Data["UploadMaxSize"] = setting.Attachment.MaxSize`
			`} else if uploadType == "repo" {`
			`ctx.Data["UploadUrl"] = ctx.Repo.RepoLink + "/upload-file"`
			`ctx.Data["UploadRemoveUrl"] = ctx.Repo.RepoLink + "/upload-remove"`
Fix attachments list in edit comment (#13036) #11141 broke the appearance of dropzone attachments when editting comments causing poorly updating lists. This PR fixes this. Fix #12583 Signed-off-by: Andrew Thornton art27@cantab.net 2020-10-10 23:49:59 +00:00			`ctx.Data["UploadLinkUrl"] = ctx.Repo.RepoLink + "/upload-file"`
Update golangci-lint to version 1.31.0 (#13102) This PR updates golangci-lint to the latest version 1.31.0. The upgrade introduced a new check for which I've fixed or disabled most cases. Signed-off-by: kolaente <k@knt.li> 2020-10-11 20:27:20 +00:00			`ctx.Data["UploadAccepts"] = strings.ReplaceAll(setting.Repository.Upload.AllowedTypes, "\|", ",")`
Attachments: Add extension support, allow all types for releases (#12465) * Attachments: Add extension support, allow all types for releases - Add support for file extensions, matching the `accept` attribute of `<input type="file">` - Add support for type wildcard mime types, e.g. `image/` - Create repository.release.ALLOWED_TYPES setting (default unrestricted) - Change default for attachment.ALLOWED_TYPES to a list of extensions - Split out POST /attachments into two endpoints for issue/pr and releases to prevent circumvention of allowed types check Fixes: https://github.com/go-gitea/gitea/pull/10172 Fixes: https://github.com/go-gitea/gitea/issues/7266 Fixes: https://github.com/go-gitea/gitea/pull/12460 Ref: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/input/file#Unique_file_type_specifiers rename function * extract GET routes out of RepoMustNotBeArchived Co-authored-by: Lauris BH <lauris@nix.lv> 2020-10-05 05:49:33 +00:00			`ctx.Data["UploadMaxFiles"] = setting.Repository.Upload.MaxFiles`
			`ctx.Data["UploadMaxSize"] = setting.Repository.Upload.FileMaxSize`
			`}`
			`}`