Allow file access not in Attachments table (#5876)
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This commit is contained in:
Tom Moor
GitHub
@@ -1,9 +1,12 @@
|
||||
import { existsSync } from "fs";
|
||||
import { existsSync, copyFileSync } from "fs";
|
||||
import { readFile } from "fs/promises";
|
||||
import path from "path";
|
||||
import FormData from "form-data";
|
||||
import { ensureDirSync } from "fs-extra";
|
||||
import { v4 as uuidV4 } from "uuid";
|
||||
import env from "@server/env";
|
||||
import "@server/test/env";
|
||||
import FileStorage from "@server/storage/files";
|
||||
import { buildAttachment, buildUser } from "@server/test/factories";
|
||||
import { getTestServer } from "@server/test/support";
|
||||
|
||||
@@ -18,11 +21,33 @@ describe("#files.create", () => {
|
||||
key: "public/foo/bar/baz.png",
|
||||
},
|
||||
});
|
||||
const body = await res.json();
|
||||
expect(res.status).toEqual(400);
|
||||
expect(body.message).toEqual(
|
||||
"key: Must be of the form uploads/<uuid>/<uuid>/<name> or public/<uuid>/<uuid>/<name>"
|
||||
});
|
||||
|
||||
it("should fail with status 404 if existing file is requested with key", async () => {
|
||||
const user = await buildUser();
|
||||
const fileName = "images.docx";
|
||||
const key = path.join("uploads", user.id, uuidV4(), fileName);
|
||||
|
||||
ensureDirSync(
|
||||
path.dirname(path.join(env.FILE_STORAGE_LOCAL_ROOT_DIR, key))
|
||||
);
|
||||
|
||||
copyFileSync(
|
||||
path.resolve(__dirname, "..", "test", "fixtures", fileName),
|
||||
path.join(env.FILE_STORAGE_LOCAL_ROOT_DIR, key)
|
||||
);
|
||||
|
||||
const res = await server.get(`/api/files.get?key=${key}`);
|
||||
expect(res.status).toEqual(404);
|
||||
});
|
||||
|
||||
it("should fail with status 404 if non-existing file is requested with key", async () => {
|
||||
const user = await buildUser();
|
||||
const fileName = "images.docx";
|
||||
const key = path.join("uploads", user.id, uuidV4(), fileName);
|
||||
const res = await server.get(`/api/files.get?key=${key}`);
|
||||
expect(res.status).toEqual(404);
|
||||
});
|
||||
|
||||
it("should succeed with status 200 ok and create a file", async () => {
|
||||
@@ -63,21 +88,17 @@ describe("#files.create", () => {
|
||||
describe("#files.get", () => {
|
||||
it("should fail with status 400 bad request if key is invalid", async () => {
|
||||
const res = await server.get(`/api/files.get?key=public/foo/bar/baz.png`);
|
||||
const body = await res.json();
|
||||
expect(res.status).toEqual(400);
|
||||
expect(body.message).toEqual(
|
||||
"key: Must be of the form uploads/<uuid>/<uuid>/<name> or public/<uuid>/<uuid>/<name>"
|
||||
);
|
||||
});
|
||||
|
||||
it("should fail with status 400 bad request if none of key or sig is supplied", async () => {
|
||||
it("should fail with status 400 bad request if neither key or sig is supplied", async () => {
|
||||
const res = await server.get("/api/files.get");
|
||||
const body = await res.json();
|
||||
expect(res.status).toEqual(400);
|
||||
expect(body.message).toEqual("query: One of key or sig is required");
|
||||
});
|
||||
|
||||
it("should succeed with status 200 ok when file is requested using key", async () => {
|
||||
it("should succeed with status 200 ok when attachment is requested using key", async () => {
|
||||
const user = await buildUser();
|
||||
const fileName = "images.docx";
|
||||
|
||||
@@ -112,7 +133,7 @@ describe("#files.get", () => {
|
||||
);
|
||||
});
|
||||
|
||||
it("should succeed with status 200 ok when private file is requested using signature", async () => {
|
||||
it("should succeed with status 200 ok when private attachment is requested using signature", async () => {
|
||||
const user = await buildUser();
|
||||
const fileName = "images.docx";
|
||||
|
||||
@@ -147,4 +168,48 @@ describe("#files.get", () => {
|
||||
'attachment; filename="images.docx"'
|
||||
);
|
||||
});
|
||||
|
||||
it("should succeed with status 200 ok when file is requested using signature", async () => {
|
||||
const user = await buildUser();
|
||||
const fileName = "images.docx";
|
||||
const key = path.join("uploads", user.id, uuidV4(), fileName);
|
||||
const signedUrl = await FileStorage.getSignedUrl(key);
|
||||
|
||||
ensureDirSync(
|
||||
path.dirname(path.join(env.FILE_STORAGE_LOCAL_ROOT_DIR, key))
|
||||
);
|
||||
|
||||
copyFileSync(
|
||||
path.resolve(__dirname, "..", "test", "fixtures", fileName),
|
||||
path.join(env.FILE_STORAGE_LOCAL_ROOT_DIR, key)
|
||||
);
|
||||
|
||||
const res = await server.get(signedUrl);
|
||||
expect(res.status).toEqual(200);
|
||||
expect(res.headers.get("Content-Type")).toEqual(
|
||||
"application/vnd.openxmlformats-officedocument.wordprocessingml.document"
|
||||
);
|
||||
expect(res.headers.get("Content-Disposition")).toEqual(
|
||||
'attachment; filename="images.docx"'
|
||||
);
|
||||
});
|
||||
|
||||
it("should succeed with status 200 ok when avatar is requested using key", async () => {
|
||||
const user = await buildUser();
|
||||
const key = path.join("avatars", user.id, uuidV4());
|
||||
|
||||
ensureDirSync(
|
||||
path.dirname(path.join(env.FILE_STORAGE_LOCAL_ROOT_DIR, key))
|
||||
);
|
||||
|
||||
copyFileSync(
|
||||
path.resolve(__dirname, "..", "test", "fixtures", "avatar.jpg"),
|
||||
path.join(env.FILE_STORAGE_LOCAL_ROOT_DIR, key)
|
||||
);
|
||||
|
||||
const res = await server.get(`/api/files.get?key=${key}`);
|
||||
expect(res.status).toEqual(200);
|
||||
expect(res.headers.get("Content-Type")).toEqual("application/octet-stream");
|
||||
expect(res.headers.get("Content-Disposition")).toEqual("attachment");
|
||||
});
|
||||
});
|
||||
|
||||
@@ -1,14 +1,19 @@
|
||||
import JWT from "jsonwebtoken";
|
||||
import Router from "koa-router";
|
||||
import mime from "mime-types";
|
||||
import env from "@server/env";
|
||||
import { ValidationError } from "@server/errors";
|
||||
import { AuthenticationError, ValidationError } from "@server/errors";
|
||||
import auth from "@server/middlewares/authentication";
|
||||
import multipart from "@server/middlewares/multipart";
|
||||
import { rateLimiter } from "@server/middlewares/rateLimiter";
|
||||
import validate from "@server/middlewares/validate";
|
||||
import { Attachment } from "@server/models";
|
||||
import AttachmentHelper from "@server/models/helpers/AttachmentHelper";
|
||||
import { authorize } from "@server/policies";
|
||||
import FileStorage from "@server/storage/files";
|
||||
import { APIContext } from "@server/types";
|
||||
import { RateLimiterStrategy } from "@server/utils/RateLimiter";
|
||||
import { getJWTPayload } from "@server/utils/jwt";
|
||||
import { createRootDirForLocalStorage } from "../utils";
|
||||
import * as T from "./schema";
|
||||
|
||||
@@ -27,7 +32,10 @@ router.post(
|
||||
const { key } = ctx.input.body;
|
||||
const file = ctx.input.file;
|
||||
|
||||
const attachment = await Attachment.findByKey(key);
|
||||
const attachment = await Attachment.findOne({
|
||||
where: { key },
|
||||
rejectOnEmpty: true,
|
||||
});
|
||||
|
||||
if (attachment.isPrivate) {
|
||||
authorize(actor, "createAttachment", actor.team);
|
||||
@@ -46,26 +54,60 @@ router.get(
|
||||
auth({ optional: true }),
|
||||
validate(T.FilesGetSchema),
|
||||
async (ctx: APIContext<T.FilesGetReq>) => {
|
||||
const { key, sig } = ctx.input.query;
|
||||
const actor = ctx.state.auth.user;
|
||||
let attachment: Attachment | null;
|
||||
const key = getKeyFromContext(ctx);
|
||||
const isSignedRequest = !!ctx.input.query.sig;
|
||||
const { isPublicBucket, fileName } = AttachmentHelper.parseKey(key);
|
||||
const skipAuthorize = isPublicBucket || isSignedRequest;
|
||||
const cacheHeader = "max-age=604800, immutable";
|
||||
|
||||
if (key) {
|
||||
attachment = await Attachment.findByKey(key);
|
||||
|
||||
if (attachment.isPrivate) {
|
||||
authorize(actor, "read", attachment);
|
||||
}
|
||||
} else if (sig) {
|
||||
attachment = await Attachment.findBySignature(sig);
|
||||
if (skipAuthorize) {
|
||||
ctx.set("Cache-Control", cacheHeader);
|
||||
ctx.set(
|
||||
"Content-Type",
|
||||
(fileName ? mime.lookup(fileName) : undefined) ||
|
||||
"application/octet-stream"
|
||||
);
|
||||
ctx.attachment(fileName);
|
||||
ctx.body = FileStorage.getFileStream(key);
|
||||
} else {
|
||||
throw ValidationError("Must provide either key or signature");
|
||||
}
|
||||
const attachment = await Attachment.findOne({
|
||||
where: { key },
|
||||
rejectOnEmpty: true,
|
||||
});
|
||||
authorize(actor, "read", attachment);
|
||||
|
||||
ctx.set("Content-Type", attachment.contentType);
|
||||
ctx.attachment(attachment.name);
|
||||
ctx.body = attachment.stream;
|
||||
ctx.set("Cache-Control", cacheHeader);
|
||||
ctx.set("Content-Type", attachment.contentType);
|
||||
ctx.attachment(attachment.name);
|
||||
ctx.body = attachment.stream;
|
||||
}
|
||||
}
|
||||
);
|
||||
|
||||
function getKeyFromContext(ctx: APIContext<T.FilesGetReq>): string {
|
||||
const { key, sig } = ctx.input.query;
|
||||
if (sig) {
|
||||
const payload = getJWTPayload(sig);
|
||||
|
||||
if (payload.type !== "attachment") {
|
||||
throw AuthenticationError("Invalid signature");
|
||||
}
|
||||
|
||||
try {
|
||||
JWT.verify(sig, env.SECRET_KEY);
|
||||
} catch (err) {
|
||||
throw AuthenticationError("Invalid signature");
|
||||
}
|
||||
|
||||
return payload.key as string;
|
||||
}
|
||||
|
||||
if (key) {
|
||||
return key;
|
||||
}
|
||||
|
||||
throw ValidationError("Must provide either key or sig parameter");
|
||||
}
|
||||
|
||||
export default router;
|
||||
|
||||
BIN
plugins/storage/server/test/fixtures/avatar.jpg
vendored
Normal file
BIN
plugins/storage/server/test/fixtures/avatar.jpg
vendored
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 35 KiB |
Reference in New Issue
Block a user