Merge pull request #534 from gotify/fix-xss

Fix file upload XSS
2022-12-28 19:38:05 +00:00 · 2022-12-28 19:38:05 +00:00 · 022603ddf9
parent c8f78e8469 925fb7e2c9
commit 022603ddf9
3 changed files with 24 additions and 0 deletions
--- a/api/application.go
+++ b/api/application.go
@ -329,6 +329,14 @@ func (a *ApplicationAPI) UploadApplicationImage(ctx *gin.Context) {
 			ext := filepath.Ext(file.Filename)
 			switch ext {
 			case ".gif", ".png", ".jpg", ".jpeg":
 				// ok
 			default:
 				ctx.AbortWithError(400, errors.New("invalid file extension"))
 				return
 			}
 			name := generateNonExistingImageName(a.ImageDir, func() string {
 				return generateImageName() + ext
 			})
--- a/api/application_test.go
+++ b/api/application_test.go
@ -398,6 +398,22 @@ func (s *ApplicationSuite) Test_UploadAppImage_WithTextFile_expectBadRequest() {
 	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("file must be an image"))
 }
 func (s *ApplicationSuite) Test_UploadAppImage_WithHtmlFileHavingImageHeader() {
 	s.db.User(5).App(1)
 	cType, buffer, err := upload(map[string]*os.File{"file": mustOpen("../test/assets/image-header-with.html")})
 	assert.Nil(s.T(), err)
 	s.ctx.Request = httptest.NewRequest("POST", "/irrelevant", &buffer)
 	s.ctx.Request.Header.Set("Content-Type", cType)
 	test.WithUser(s.ctx, 5)
 	s.ctx.Params = gin.Params{{Key: "id", Value: "1"}}
 	s.a.UploadApplicationImage(s.ctx)
 	assert.Equal(s.T(), 400, s.recorder.Code)
 	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("invalid file extension"))
 }
 func (s *ApplicationSuite) Test_UploadAppImage_expectNotFound() {
 	s.db.User(5)
--- a/test/assets/image-header-with.html
+++ b/test/assets/image-header-with.html