Use the IFileStreamSecurityValidator in the temporary file service

2023-08-28 12:17:34 +02:00
parent 6fbf04592c
commit 1b3f7afe20
3 changed files with 20 additions and 3 deletions
--- a/src/Umbraco.Cms.Api.Management/Controllers/TemporaryFile/TemporaryFileControllerBase.cs
+++ b/src/Umbraco.Cms.Api.Management/Controllers/TemporaryFile/TemporaryFileControllerBase.cs
@@ -25,8 +25,11 @@ public abstract class TemporaryFileControllerBase : ManagementApiControllerBase
                .Build()),

            TemporaryFileOperationStatus.NotFound => NotFound(new ProblemDetailsBuilder()
-                    .WithTitle("The temporary file was not found")
-                    .Build()),
+                .WithTitle("The temporary file was not found")
+                .Build()),
+            TemporaryFileOperationStatus.UploadBlocked => NotFound(new ProblemDetailsBuilder()
+                .WithTitle("The temporary file was blocked by a validator")
+                .Build()),
            _ => StatusCode(StatusCodes.Status500InternalServerError, new ProblemDetailsBuilder()
                .WithTitle("Unknown temporary file operation status.")
                .Build()),
--- a/src/Umbraco.Core/Services/OperationStatus/TemporaryFileUploadStatus.cs
+++ b/src/Umbraco.Core/Services/OperationStatus/TemporaryFileUploadStatus.cs
@@ -6,4 +6,5 @@ public enum TemporaryFileOperationStatus
    FileExtensionNotAllowed = 1,
    KeyAlreadyUsed = 2,
    NotFound = 3,
+    UploadBlocked
 }
--- a/src/Umbraco.Core/Services/TemporaryFileService.cs
+++ b/src/Umbraco.Core/Services/TemporaryFileService.cs
@@ -2,6 +2,7 @@ using Microsoft.Extensions.Options;
 using Umbraco.Cms.Core.Configuration.Models;
 using Umbraco.Cms.Core.Models.TemporaryFile;
 using Umbraco.Cms.Core.Persistence.Repositories;
+using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Core.Services.OperationStatus;
 using Umbraco.Extensions;

@@ -10,15 +11,18 @@ namespace Umbraco.Cms.Core.Services;
 internal sealed class TemporaryFileService : ITemporaryFileService
 {
    private readonly ITemporaryFileRepository _temporaryFileRepository;
+    private readonly IFileStreamSecurityValidator _fileStreamSecurityValidator;
    private RuntimeSettings _runtimeSettings;
    private ContentSettings _contentSettings;

    public TemporaryFileService(
        ITemporaryFileRepository temporaryFileRepository,
        IOptionsMonitor<RuntimeSettings> runtimeOptionsMonitor,
-        IOptionsMonitor<ContentSettings> contentOptionsMonitor)
+        IOptionsMonitor<ContentSettings> contentOptionsMonitor,
+        IFileStreamSecurityValidator fileStreamSecurityValidator)
    {
        _temporaryFileRepository = temporaryFileRepository;
+        _fileStreamSecurityValidator = fileStreamSecurityValidator;

        _runtimeSettings = runtimeOptionsMonitor.CurrentValue;
        _contentSettings = contentOptionsMonitor.CurrentValue;
@@ -41,6 +45,15 @@ internal sealed class TemporaryFileService : ITemporaryFileService
            return Attempt.FailWithStatus<TemporaryFileModel?, TemporaryFileOperationStatus>(TemporaryFileOperationStatus.KeyAlreadyUsed, null);
        }

+
+        await using Stream dataStream = createModel.OpenReadStream();
+        dataStream.Seek(0, SeekOrigin.Begin);
+        if (_fileStreamSecurityValidator.IsConsideredSafe(dataStream) is false)
+        {
+            return Attempt.FailWithStatus<TemporaryFileModel?, TemporaryFileOperationStatus>(TemporaryFileOperationStatus.UploadBlocked, null);
+        }
+
+
        temporaryFileModel = new TemporaryFileModel
        {
            Key = createModel.Key,