Honour allowed extensions

danmunn · Feb 23, 2024 · 625faa5 · 625faa5
1 parent 2676eab
commit 625faa5
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 0 deletions.
diff --git a/app/models/dmsf_file_revision.rb b/app/models/dmsf_file_revision.rb
@@ -95,6 +95,7 @@ class DmsfFileRevision < ApplicationRecord
   validates :name, dmsf_file_name: true
   validates :name, length: { maximum: 255 }
   validates :disk_filename, length: { maximum: 255 }
+  validates :name, dmsf_file_extension: true
   validates :description, length: { maximum: 1.kilobyte }
   validates :size, dmsf_max_file_size: true
 

diff --git a/app/validators/dmsf_file_extension_validator.rb b/app/validators/dmsf_file_extension_validator.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# Redmine plugin for Document Management System "Features"
+#
+# Vít Jonáš <[email protected]>, Karel Pičman <[email protected]>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+# File extension validator according to the Redmine whitelist and blacklist for file upload.
+class DmsfFileExtensionValidator < ActiveModel::EachValidator
+  include Redmine::I18n
+
+  def validate_each(record, attribute, value)
+    return true unless attribute.to_s == 'name'
+
+    extension = File.extname(value)
+    return true if Attachment.valid_extension?(extension)
+
+    record.errors.add(:base, l(:error_attachment_extension_not_allowed, extension: extension))
+  end
+end
diff --git a/test/unit/dmsf_file_revision_test.rb b/test/unit/dmsf_file_revision_test.rb
@@ -129,6 +129,25 @@ def test_new_storage_filename
     assert_not_equal r1.disk_filename, r2.disk_filename, 'The disk filename should not be equal for two revisions.'
   end
 
+  def test_invalid_filename_extension
+    with_settings(attachment_extensions_allowed: 'txt') do
+      r1 = DmsfFileRevision.new
+      r1.minor_version = 0
+      r1.major_version = 1
+      r1.dmsf_file = @file1 # name test.txt
+      r1.user = User.current
+      r1.name = 'test.txt.png'
+      r1.title = DmsfFileRevision.filename_to_title(r1.name)
+      r1.description = nil
+      r1.comment = nil
+      r1.mime_type = nil
+      r1.size = 4
+      assert r1.invalid?
+      message = ['Attachment extension .png is not allowed']
+      assert_equal message, r1.errors.full_messages
+    end
+  end
+
   def test_workflow_tooltip
     @revision2.set_workflow @wf1.id, 'start'
     assert_equal 'John Smith', @revision2.workflow_tooltip