Merge pull request #534 from gotify/fix-xss

Fix file upload XSS
gotify · Dec 28, 2022 · 022603d · 022603d
2 parents c8f78e8 + 925fb7e
commit 022603d
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 0 deletions.
diff --git a/api/application.go b/api/application.go
@@ -329,6 +329,14 @@ func (a *ApplicationAPI) UploadApplicationImage(ctx *gin.Context) {
 
 			ext := filepath.Ext(file.Filename)
 
+			switch ext {
+			case ".gif", ".png", ".jpg", ".jpeg":
+				// ok
+			default:
+				ctx.AbortWithError(400, errors.New("invalid file extension"))
+				return
+			}
+
 			name := generateNonExistingImageName(a.ImageDir, func() string {
 				return generateImageName() + ext
 			})

diff --git a/api/application_test.go b/api/application_test.go
@@ -398,6 +398,22 @@ func (s *ApplicationSuite) Test_UploadAppImage_WithTextFile_expectBadRequest() {
 	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("file must be an image"))
 }
 
+func (s *ApplicationSuite) Test_UploadAppImage_WithHtmlFileHavingImageHeader() {
+	s.db.User(5).App(1)
+
+	cType, buffer, err := upload(map[string]*os.File{"file": mustOpen("../test/assets/image-header-with.html")})
+	assert.Nil(s.T(), err)
+	s.ctx.Request = httptest.NewRequest("POST", "/irrelevant", &buffer)
+	s.ctx.Request.Header.Set("Content-Type", cType)
+	test.WithUser(s.ctx, 5)
+	s.ctx.Params = gin.Params{{Key: "id", Value: "1"}}
+
+	s.a.UploadApplicationImage(s.ctx)
+
+	assert.Equal(s.T(), 400, s.recorder.Code)
+	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("invalid file extension"))
+}
+
 func (s *ApplicationSuite) Test_UploadAppImage_expectNotFound() {
 	s.db.User(5)
 

diff --git a/test/assets/image-header-with.html b/test/assets/image-header-with.html