Honour allowed extensions

2024-02-23 10:06:38 +01:00 · 2024-02-23 10:06:38 +01:00 · 625faa5e0a
commit 625faa5e0a
parent 2676eaba74
3 changed files with 53 additions and 0 deletions
--- a/app/models/dmsf_file_revision.rb
+++ b/app/models/dmsf_file_revision.rb
@ -95,6 +95,7 @@ class DmsfFileRevision < ApplicationRecord
  validates :name, dmsf_file_name: true
  validates :name, length: { maximum: 255 }
  validates :disk_filename, length: { maximum: 255 }
+  validates :name, dmsf_file_extension: true
  validates :description, length: { maximum: 1.kilobyte }
  validates :size, dmsf_max_file_size: true

--- a/app/validators/dmsf_file_extension_validator.rb
+++ b/app/validators/dmsf_file_extension_validator.rb
@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+# Redmine plugin for Document Management System "Features"
+#
+# Vít Jonáš <vit.jonas@gmail.com>, Karel Pičman <karel.picman@kontron.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License
+# as published by the Free Software Foundation; either version 2
+# of the License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+
+# File extension validator according to the Redmine whitelist and blacklist for file upload.
+class DmsfFileExtensionValidator < ActiveModel::EachValidator
+  include Redmine::I18n
+
+  def validate_each(record, attribute, value)
+    return true unless attribute.to_s == 'name'
+
+    extension = File.extname(value)
+    return true if Attachment.valid_extension?(extension)
+
+    record.errors.add(:base, l(:error_attachment_extension_not_allowed, extension: extension))
+  end
+end
--- a/test/unit/dmsf_file_revision_test.rb
+++ b/test/unit/dmsf_file_revision_test.rb
@ -129,6 +129,25 @@ class DmsfFileRevisionTest < RedmineDmsf::Test::UnitTest
    assert_not_equal r1.disk_filename, r2.disk_filename, 'The disk filename should not be equal for two revisions.'
  end

+  def test_invalid_filename_extension
+    with_settings(attachment_extensions_allowed: 'txt') do
+      r1 = DmsfFileRevision.new
+      r1.minor_version = 0
+      r1.major_version = 1
+      r1.dmsf_file = @file1 # name test.txt
+      r1.user = User.current
+      r1.name = 'test.txt.png'
+      r1.title = DmsfFileRevision.filename_to_title(r1.name)
+      r1.description = nil
+      r1.comment = nil
+      r1.mime_type = nil
+      r1.size = 4
+      assert r1.invalid?
+      message = ['Attachment extension .png is not allowed']
+      assert_equal message, r1.errors.full_messages
+    end
+  end
+
  def test_workflow_tooltip
    @revision2.set_workflow @wf1.id, 'start'
    assert_equal 'John Smith', @revision2.workflow_tooltip