From 8bbf190928658e60f9f173911732352e827e331b Mon Sep 17 00:00:00 2001 From: Antoine GIRARD Date: Thu, 27 Jun 2019 04:13:31 +0200 Subject: [PATCH 1/5] define models.ErrFileTypeForbidden --- models/error.go | 15 +++++++++++++++ routers/api/v1/repo/release_attachment.go | 3 +-- routers/repo/attachment.go | 2 +- routers/repo/editor.go | 2 +- routers/repo/issue.go | 2 -- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/models/error.go b/models/error.go index 11ca6e6863f7..111608298241 100644 --- a/models/error.go +++ b/models/error.go @@ -11,6 +11,21 @@ import ( "code.gitea.io/gitea/modules/git" ) +// ErrFileTypeForbidden not allowed file type error +type ErrFileTypeForbidden struct { + Type string +} + +// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden. +func IsErrFileTypeForbidden(err error) bool { + _, ok := err.(ErrFileTypeForbidden) + return ok +} + +func (err ErrFileTypeForbidden) Error() string { + return fmt.Sprintf("File type is not allowed: %s", err.Type) +} + // ErrNameReserved represents a "reserved name" error. type ErrNameReserved struct { Name string diff --git a/routers/api/v1/repo/release_attachment.go b/routers/api/v1/repo/release_attachment.go index f85787bc592a..8b0f42642353 100644 --- a/routers/api/v1/repo/release_attachment.go +++ b/routers/api/v1/repo/release_attachment.go @@ -5,7 +5,6 @@ package repo import ( - "errors" "net/http" "strings" @@ -190,7 +189,7 @@ func CreateReleaseAttachment(ctx *context.APIContext) { } if !allowed { - ctx.Error(400, "DetectContentType", errors.New("File type is not allowed")) + ctx.Error(400, "DetectContentType", models.ErrFileTypeForbidden{Type: fileType}) return } diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go index 8913e630150c..242c692b13da 100644 --- a/routers/repo/attachment.go +++ b/routers/repo/attachment.go @@ -56,7 +56,7 @@ func UploadAttachment(ctx *context.Context) { if !allowed { log.Info("Attachment with type %s blocked from upload", fileType) - ctx.Error(400, ErrFileTypeForbidden.Error()) + ctx.Error(400, models.ErrFileTypeForbidden{Type: fileType}.Error()) return } diff --git a/routers/repo/editor.go b/routers/repo/editor.go index 062ecfebf777..0cd5c12791ed 100644 --- a/routers/repo/editor.go +++ b/routers/repo/editor.go @@ -607,7 +607,7 @@ func UploadFileToServer(ctx *context.Context) { } if !allowed { - ctx.Error(400, ErrFileTypeForbidden.Error()) + ctx.Error(400, models.ErrFileTypeForbidden{Type: fileType}.Error()) return } } diff --git a/routers/repo/issue.go b/routers/repo/issue.go index 3904d29532fd..72e0357e6cf8 100644 --- a/routers/repo/issue.go +++ b/routers/repo/issue.go @@ -41,8 +41,6 @@ const ( ) var ( - // ErrFileTypeForbidden not allowed file type error - ErrFileTypeForbidden = errors.New("File type is not allowed") // ErrTooManyFiles upload too many files ErrTooManyFiles = errors.New("Maximum number of files to upload exceeded") // IssueTemplateCandidates issue templates From 74aee215a0bdd7876cc39e8ed6728fa3fd45f7bf Mon Sep 17 00:00:00 2001 From: Antoine GIRARD Date: Thu, 27 Jun 2019 04:29:48 +0200 Subject: [PATCH 2/5] refactor to util.VerifyAllowedContentType --- routers/api/v1/repo/release_attachment.go | 19 +++---------- routers/repo/attachment.go | 19 +++---------- routers/repo/editor.go | 17 +++--------- routers/utils/filetype.go | 34 +++++++++++++++++++++++ 4 files changed, 46 insertions(+), 43 deletions(-) create mode 100644 routers/utils/filetype.go diff --git a/routers/api/v1/repo/release_attachment.go b/routers/api/v1/repo/release_attachment.go index 8b0f42642353..ba3217d35f8a 100644 --- a/routers/api/v1/repo/release_attachment.go +++ b/routers/api/v1/repo/release_attachment.go @@ -5,12 +5,12 @@ package repo import ( - "net/http" "strings" "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/routers/utils" api "code.gitea.io/gitea/modules/structs" ) @@ -176,20 +176,9 @@ func CreateReleaseAttachment(ctx *context.APIContext) { } // Check if the filetype is allowed by the settings - fileType := http.DetectContentType(buf) - - allowedTypes := strings.Split(setting.AttachmentAllowedTypes, ",") - allowed := false - for _, t := range allowedTypes { - t := strings.Trim(t, " ") - if t == "*/*" || t == fileType { - allowed = true - break - } - } - - if !allowed { - ctx.Error(400, "DetectContentType", models.ErrFileTypeForbidden{Type: fileType}) + err = utils.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ",")) + if err != nil { + ctx.Error(400, "DetectContentType", err) return } diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go index 242c692b13da..9fdd26c795e0 100644 --- a/routers/repo/attachment.go +++ b/routers/repo/attachment.go @@ -6,13 +6,13 @@ package repo import ( "fmt" - "net/http" "strings" "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/routers/utils" ) func renderAttachmentSettings(ctx *context.Context) { @@ -42,21 +42,10 @@ func UploadAttachment(ctx *context.Context) { if n > 0 { buf = buf[:n] } - fileType := http.DetectContentType(buf) - allowedTypes := strings.Split(setting.AttachmentAllowedTypes, ",") - allowed := false - for _, t := range allowedTypes { - t := strings.Trim(t, " ") - if t == "*/*" || t == fileType { - allowed = true - break - } - } - - if !allowed { - log.Info("Attachment with type %s blocked from upload", fileType) - ctx.Error(400, models.ErrFileTypeForbidden{Type: fileType}.Error()) + err = utils.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ",")) + if err != nil { + ctx.Error(400, err.Error()) return } diff --git a/routers/repo/editor.go b/routers/repo/editor.go index 0cd5c12791ed..61fb9b22003d 100644 --- a/routers/repo/editor.go +++ b/routers/repo/editor.go @@ -7,7 +7,6 @@ package repo import ( "fmt" "io/ioutil" - "net/http" "path" "strings" @@ -21,6 +20,7 @@ import ( "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" "code.gitea.io/gitea/modules/util" + "code.gitea.io/gitea/routers/utils" ) const ( @@ -594,20 +594,11 @@ func UploadFileToServer(ctx *context.Context) { if n > 0 { buf = buf[:n] } - fileType := http.DetectContentType(buf) if len(setting.Repository.Upload.AllowedTypes) > 0 { - allowed := false - for _, t := range setting.Repository.Upload.AllowedTypes { - t := strings.Trim(t, " ") - if t == "*/*" || t == fileType { - allowed = true - break - } - } - - if !allowed { - ctx.Error(400, models.ErrFileTypeForbidden{Type: fileType}.Error()) + err = utils.VerifyAllowedContentType(buf, setting.Repository.Upload.AllowedTypes) + if err != nil { + ctx.Error(400, err.Error()) return } } diff --git a/routers/utils/filetype.go b/routers/utils/filetype.go new file mode 100644 index 000000000000..bd55a85ed466 --- /dev/null +++ b/routers/utils/filetype.go @@ -0,0 +1,34 @@ +// Copyright 2019 The Gitea Authors. All rights reserved. +// Use of this source code is governed by a MIT-style +// license that can be found in the LICENSE file. + +package utils + +import ( + "net/http" + "strings" + + "code.gitea.io/gitea/models" + "code.gitea.io/gitea/modules/log" +) + +// VerifyAllowedContentType validates a file is allwoed to be uploaded. +func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { + fileType := http.DetectContentType(buf) + + allowed := false + for _, t := range allowedTypes { + t := strings.Trim(t, " ") + if t == "*/*" || t == fileType { + allowed = true + break + } + } + + if !allowed { + log.Info("Attachment with type %s blocked from upload", fileType) + return models.ErrFileTypeForbidden{Type: fileType} + } + + return nil +} From c4892e50803be671445c12b0669153da72523fdb Mon Sep 17 00:00:00 2001 From: Antoine GIRARD Date: Thu, 27 Jun 2019 04:43:35 +0200 Subject: [PATCH 3/5] fix typo --- routers/utils/filetype.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/utils/filetype.go b/routers/utils/filetype.go index bd55a85ed466..06a6d7bbbe3a 100644 --- a/routers/utils/filetype.go +++ b/routers/utils/filetype.go @@ -12,7 +12,7 @@ import ( "code.gitea.io/gitea/modules/log" ) -// VerifyAllowedContentType validates a file is allwoed to be uploaded. +// VerifyAllowedContentType validates a file is allowed to be uploaded. func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { fileType := http.DetectContentType(buf) From e0e74fea81b4ef08c4a309d1cba3ccea25d99508 Mon Sep 17 00:00:00 2001 From: Antoine GIRARD Date: Sat, 29 Jun 2019 18:37:01 +0200 Subject: [PATCH 4/5] use specific modules/upload --- models/error.go | 15 ------------- {routers/utils => modules/upload}/filetype.go | 21 ++++++++++++++++--- routers/api/v1/repo/release_attachment.go | 4 ++-- routers/repo/attachment.go | 4 ++-- routers/repo/editor.go | 4 ++-- 5 files changed, 24 insertions(+), 24 deletions(-) rename {routers/utils => modules/upload}/filetype.go (59%) diff --git a/models/error.go b/models/error.go index 111608298241..11ca6e6863f7 100644 --- a/models/error.go +++ b/models/error.go @@ -11,21 +11,6 @@ import ( "code.gitea.io/gitea/modules/git" ) -// ErrFileTypeForbidden not allowed file type error -type ErrFileTypeForbidden struct { - Type string -} - -// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden. -func IsErrFileTypeForbidden(err error) bool { - _, ok := err.(ErrFileTypeForbidden) - return ok -} - -func (err ErrFileTypeForbidden) Error() string { - return fmt.Sprintf("File type is not allowed: %s", err.Type) -} - // ErrNameReserved represents a "reserved name" error. type ErrNameReserved struct { Name string diff --git a/routers/utils/filetype.go b/modules/upload/filetype.go similarity index 59% rename from routers/utils/filetype.go rename to modules/upload/filetype.go index 06a6d7bbbe3a..1ec7324ed319 100644 --- a/routers/utils/filetype.go +++ b/modules/upload/filetype.go @@ -2,16 +2,31 @@ // Use of this source code is governed by a MIT-style // license that can be found in the LICENSE file. -package utils +package upload import ( + "fmt" "net/http" "strings" - "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/log" ) +// ErrFileTypeForbidden not allowed file type error +type ErrFileTypeForbidden struct { + Type string +} + +// IsErrFileTypeForbidden checks if an error is a ErrFileTypeForbidden. +func IsErrFileTypeForbidden(err error) bool { + _, ok := err.(ErrFileTypeForbidden) + return ok +} + +func (err ErrFileTypeForbidden) Error() string { + return fmt.Sprintf("File type is not allowed: %s", err.Type) +} + // VerifyAllowedContentType validates a file is allowed to be uploaded. func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { fileType := http.DetectContentType(buf) @@ -27,7 +42,7 @@ func VerifyAllowedContentType(buf []byte, allowedTypes []string) error { if !allowed { log.Info("Attachment with type %s blocked from upload", fileType) - return models.ErrFileTypeForbidden{Type: fileType} + return ErrFileTypeForbidden{Type: fileType} } return nil diff --git a/routers/api/v1/repo/release_attachment.go b/routers/api/v1/repo/release_attachment.go index ba3217d35f8a..88a82fa93e5f 100644 --- a/routers/api/v1/repo/release_attachment.go +++ b/routers/api/v1/repo/release_attachment.go @@ -9,8 +9,8 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" + "code.gitea.io/gitea/modules/upload" "code.gitea.io/gitea/modules/setting" - "code.gitea.io/gitea/routers/utils" api "code.gitea.io/gitea/modules/structs" ) @@ -176,7 +176,7 @@ func CreateReleaseAttachment(ctx *context.APIContext) { } // Check if the filetype is allowed by the settings - err = utils.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ",")) + err = upload.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ",")) if err != nil { ctx.Error(400, "DetectContentType", err) return diff --git a/routers/repo/attachment.go b/routers/repo/attachment.go index 9fdd26c795e0..a07a2a8ace9c 100644 --- a/routers/repo/attachment.go +++ b/routers/repo/attachment.go @@ -12,7 +12,7 @@ import ( "code.gitea.io/gitea/modules/context" "code.gitea.io/gitea/modules/log" "code.gitea.io/gitea/modules/setting" - "code.gitea.io/gitea/routers/utils" + "code.gitea.io/gitea/modules/upload" ) func renderAttachmentSettings(ctx *context.Context) { @@ -43,7 +43,7 @@ func UploadAttachment(ctx *context.Context) { buf = buf[:n] } - err = utils.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ",")) + err = upload.VerifyAllowedContentType(buf, strings.Split(setting.AttachmentAllowedTypes, ",")) if err != nil { ctx.Error(400, err.Error()) return diff --git a/routers/repo/editor.go b/routers/repo/editor.go index 61fb9b22003d..f3327017e5f3 100644 --- a/routers/repo/editor.go +++ b/routers/repo/editor.go @@ -19,8 +19,8 @@ import ( "code.gitea.io/gitea/modules/repofiles" "code.gitea.io/gitea/modules/setting" "code.gitea.io/gitea/modules/templates" + "code.gitea.io/gitea/modules/upload" "code.gitea.io/gitea/modules/util" - "code.gitea.io/gitea/routers/utils" ) const ( @@ -596,7 +596,7 @@ func UploadFileToServer(ctx *context.Context) { } if len(setting.Repository.Upload.AllowedTypes) > 0 { - err = utils.VerifyAllowedContentType(buf, setting.Repository.Upload.AllowedTypes) + err = upload.VerifyAllowedContentType(buf, setting.Repository.Upload.AllowedTypes) if err != nil { ctx.Error(400, err.Error()) return From 1caecc41bdd66ded234b98d1380bc0a024ea22a5 Mon Sep 17 00:00:00 2001 From: Antoine GIRARD Date: Mon, 1 Jul 2019 15:57:14 +0200 Subject: [PATCH 5/5] make fmt --- routers/api/v1/repo/release_attachment.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/routers/api/v1/repo/release_attachment.go b/routers/api/v1/repo/release_attachment.go index 88a82fa93e5f..d0eb3d4ae11e 100644 --- a/routers/api/v1/repo/release_attachment.go +++ b/routers/api/v1/repo/release_attachment.go @@ -9,8 +9,8 @@ import ( "code.gitea.io/gitea/models" "code.gitea.io/gitea/modules/context" - "code.gitea.io/gitea/modules/upload" "code.gitea.io/gitea/modules/setting" + "code.gitea.io/gitea/modules/upload" api "code.gitea.io/gitea/modules/structs" )