Merge pull request #534 from gotify/fix-xss

Fix file upload XSS
2022-12-28 19:38:05 +00:00 · 2022-12-28 19:38:05 +00:00 · 022603ddf9
parent c8f78e8469 925fb7e2c9
commit 022603ddf9
3 changed files with 24 additions and 0 deletions
--- a/api/application.go
+++ b/api/application.go
@ -329,6 +329,14 @@ func (a *ApplicationAPI) UploadApplicationImage(ctx *gin.Context) {

 			ext := filepath.Ext(file.Filename)

+			switch ext {
+			case ".gif", ".png", ".jpg", ".jpeg":
+				// ok
+			default:
+				ctx.AbortWithError(400, errors.New("invalid file extension"))
+				return
+			}
+
 			name := generateNonExistingImageName(a.ImageDir, func() string {
 				return generateImageName() + ext
 			})
--- a/api/application_test.go
+++ b/api/application_test.go
@ -398,6 +398,22 @@ func (s *ApplicationSuite) Test_UploadAppImage_WithTextFile_expectBadRequest() {
 	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("file must be an image"))
 }

+func (s *ApplicationSuite) Test_UploadAppImage_WithHtmlFileHavingImageHeader() {
+	s.db.User(5).App(1)
+
+	cType, buffer, err := upload(map[string]*os.File{"file": mustOpen("../test/assets/image-header-with.html")})
+	assert.Nil(s.T(), err)
+	s.ctx.Request = httptest.NewRequest("POST", "/irrelevant", &buffer)
+	s.ctx.Request.Header.Set("Content-Type", cType)
+	test.WithUser(s.ctx, 5)
+	s.ctx.Params = gin.Params{{Key: "id", Value: "1"}}
+
+	s.a.UploadApplicationImage(s.ctx)
+
+	assert.Equal(s.T(), 400, s.recorder.Code)
+	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("invalid file extension"))
+}
+
 func (s *ApplicationSuite) Test_UploadAppImage_expectNotFound() {
 	s.db.User(5)

--- a/test/assets/image-header-with.html
+++ b/test/assets/image-header-with.html