diff --git a/app/Actions/CommentRepo.php b/app/Actions/CommentRepo.php index 85fb6498a..8121dfc5c 100644 --- a/app/Actions/CommentRepo.php +++ b/app/Actions/CommentRepo.php @@ -66,13 +66,13 @@ class CommentRepo /** * Delete a comment from the system. */ - public function delete(Comment $comment) + public function delete(Comment $comment): void { $comment->delete(); } /** - * Convert the given comment markdown text to HTML. + * Convert the given comment Markdown to HTML. */ public function commentToHtml(string $commentText): string { diff --git a/app/Auth/User.php b/app/Auth/User.php index 0a6849fe0..da47a9d69 100644 --- a/app/Auth/User.php +++ b/app/Auth/User.php @@ -27,7 +27,7 @@ use Illuminate\Support\Collection; /** * Class User. * - * @property string $id + * @property int $id * @property string $name * @property string $slug * @property string $email diff --git a/app/Entities/Tools/PageContent.php b/app/Entities/Tools/PageContent.php index 724230a3d..c5b17ddef 100644 --- a/app/Entities/Tools/PageContent.php +++ b/app/Entities/Tools/PageContent.php @@ -9,6 +9,7 @@ use BookStack\Exceptions\ImageUploadException; use BookStack\Facades\Theme; use BookStack\Theming\ThemeEvents; use BookStack\Uploads\ImageRepo; +use BookStack\Uploads\ImageService; use BookStack\Util\HtmlContentFilter; use DOMDocument; use DOMNodeList; @@ -130,7 +131,7 @@ class PageContent $imageInfo = $this->parseBase64ImageUri($uri); // Validate extension and content - if (empty($imageInfo['data']) || !$imageRepo->imageExtensionSupported($imageInfo['extension'])) { + if (empty($imageInfo['data']) || !ImageService::isExtensionSupported($imageInfo['extension'])) { return ''; } diff --git a/app/Http/Controllers/AttachmentController.php b/app/Http/Controllers/AttachmentController.php index 56503a694..477640b0a 100644 --- a/app/Http/Controllers/AttachmentController.php +++ b/app/Http/Controllers/AttachmentController.php @@ -68,6 +68,7 @@ class AttachmentController extends Controller 'file' => 'required|file', ]); + /** @var Attachment $attachment */ $attachment = Attachment::query()->findOrFail($attachmentId); $this->checkOwnablePermission('view', $attachment->page); $this->checkOwnablePermission('page-update', $attachment->page); @@ -86,11 +87,10 @@ class AttachmentController extends Controller /** * Get the update form for an attachment. - * - * @return \Illuminate\Contracts\Foundation\Application|\Illuminate\Contracts\View\Factory|\Illuminate\View\View */ public function getUpdateForm(string $attachmentId) { + /** @var Attachment $attachment */ $attachment = Attachment::query()->findOrFail($attachmentId); $this->checkOwnablePermission('page-update', $attachment->page); @@ -173,6 +173,7 @@ class AttachmentController extends Controller /** * Get the attachments for a specific page. + * @throws NotFoundException */ public function listForPage(int $pageId) { diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index 283a01cfb..3bccdcda4 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers; use BookStack\Facades\Activity; use BookStack\Interfaces\Loggable; use BookStack\Model; +use BookStack\Util\WebSafeMimeSniffer; use finfo; use Illuminate\Foundation\Bus\DispatchesJobs; use Illuminate\Foundation\Validation\ValidatesRequests; @@ -117,8 +118,9 @@ abstract class Controller extends BaseController protected function downloadResponse(string $content, string $fileName): Response { return response()->make($content, 200, [ - 'Content-Type' => 'application/octet-stream', - 'Content-Disposition' => 'attachment; filename="' . $fileName . '"', + 'Content-Type' => 'application/octet-stream', + 'Content-Disposition' => 'attachment; filename="' . $fileName . '"', + 'X-Content-Type-Options' => 'nosniff', ]); } @@ -128,12 +130,13 @@ abstract class Controller extends BaseController */ protected function inlineDownloadResponse(string $content, string $fileName): Response { - $finfo = new finfo(FILEINFO_MIME_TYPE); - $mime = $finfo->buffer($content) ?: 'application/octet-stream'; + + $mime = (new WebSafeMimeSniffer)->sniff($content); return response()->make($content, 200, [ - 'Content-Type' => $mime, - 'Content-Disposition' => 'inline; filename="' . $fileName . '"', + 'Content-Type' => $mime, + 'Content-Disposition' => 'inline; filename="' . $fileName . '"', + 'X-Content-Type-Options' => 'nosniff', ]); } diff --git a/app/Http/Controllers/Images/DrawioImageController.php b/app/Http/Controllers/Images/DrawioImageController.php index d99bb8e6f..b8e4546ff 100644 --- a/app/Http/Controllers/Images/DrawioImageController.php +++ b/app/Http/Controllers/Images/DrawioImageController.php @@ -67,13 +67,12 @@ class DrawioImageController extends Controller public function getAsBase64($id) { $image = $this->imageRepo->getById($id); - $page = $image->getPage(); - if ($image === null || $image->type !== 'drawio' || !userCan('page-view', $page)) { + if (is_null($image) || $image->type !== 'drawio' || !userCan('page-view', $image->getPage())) { return $this->jsonError('Image data could not be found'); } $imageData = $this->imageRepo->getImageData($image); - if ($imageData === null) { + if (is_null($imageData)) { return $this->jsonError('Image data could not be found'); } diff --git a/app/Http/Controllers/Images/ImageController.php b/app/Http/Controllers/Images/ImageController.php index 4070a0e2f..231712d52 100644 --- a/app/Http/Controllers/Images/ImageController.php +++ b/app/Http/Controllers/Images/ImageController.php @@ -7,25 +7,23 @@ use BookStack\Exceptions\NotFoundException; use BookStack\Http\Controllers\Controller; use BookStack\Uploads\Image; use BookStack\Uploads\ImageRepo; +use BookStack\Uploads\ImageService; use Exception; -use Illuminate\Filesystem\Filesystem as File; use Illuminate\Http\Request; use Illuminate\Validation\ValidationException; class ImageController extends Controller { - protected $image; - protected $file; protected $imageRepo; + protected $imageService; /** * ImageController constructor. */ - public function __construct(Image $image, File $file, ImageRepo $imageRepo) + public function __construct(ImageRepo $imageRepo, ImageService $imageService) { - $this->image = $image; - $this->file = $file; $this->imageRepo = $imageRepo; + $this->imageService = $imageService; } /** @@ -35,14 +33,13 @@ class ImageController extends Controller */ public function showImage(string $path) { - $path = storage_path('uploads/images/' . $path); - if (!file_exists($path)) { + if (!$this->imageService->pathExistsInLocalSecure($path)) { throw (new NotFoundException(trans('errors.image_not_found'))) ->setSubtitle(trans('errors.image_not_found_subtitle')) ->setDetails(trans('errors.image_not_found_details')); } - return response()->file($path); + return $this->imageService->streamImageFromStorageResponse('gallery', $path); } /** diff --git a/app/Providers/CustomValidationServiceProvider.php b/app/Providers/CustomValidationServiceProvider.php index c54f48ca3..c2c0197c7 100644 --- a/app/Providers/CustomValidationServiceProvider.php +++ b/app/Providers/CustomValidationServiceProvider.php @@ -2,6 +2,7 @@ namespace BookStack\Providers; +use BookStack\Uploads\ImageService; use Illuminate\Support\Facades\Validator; use Illuminate\Support\ServiceProvider; @@ -13,9 +14,8 @@ class CustomValidationServiceProvider extends ServiceProvider public function boot(): void { Validator::extend('image_extension', function ($attribute, $value, $parameters, $validator) { - $validImageExtensions = ['png', 'jpg', 'jpeg', 'gif', 'webp']; - - return in_array(strtolower($value->getClientOriginalExtension()), $validImageExtensions); + $extension = strtolower($value->getClientOriginalExtension()); + return ImageService::isExtensionSupported($extension); }); Validator::extend('safe_url', function ($attribute, $value, $parameters, $validator) { diff --git a/app/Uploads/AttachmentService.php b/app/Uploads/AttachmentService.php index f7a0918c6..52954d24f 100644 --- a/app/Uploads/AttachmentService.php +++ b/app/Uploads/AttachmentService.php @@ -27,7 +27,7 @@ class AttachmentService /** * Get the storage that will be used for storing files. */ - protected function getStorage(): FileSystemInstance + protected function getStorageDisk(): FileSystemInstance { return $this->fileSystem->disk($this->getStorageDiskName()); } @@ -70,7 +70,7 @@ class AttachmentService */ public function getAttachmentFromStorage(Attachment $attachment): string { - return $this->getStorage()->get($this->adjustPathForStorageDisk($attachment->path)); + return $this->getStorageDisk()->get($this->adjustPathForStorageDisk($attachment->path)); } /** @@ -195,7 +195,7 @@ class AttachmentService */ protected function deleteFileInStorage(Attachment $attachment) { - $storage = $this->getStorage(); + $storage = $this->getStorageDisk(); $dirPath = $this->adjustPathForStorageDisk(dirname($attachment->path)); $storage->delete($this->adjustPathForStorageDisk($attachment->path)); @@ -213,10 +213,10 @@ class AttachmentService { $attachmentData = file_get_contents($uploadedFile->getRealPath()); - $storage = $this->getStorage(); + $storage = $this->getStorageDisk(); $basePath = 'uploads/files/' . date('Y-m-M') . '/'; - $uploadFileName = Str::random(16) . '.' . $uploadedFile->getClientOriginalExtension(); + $uploadFileName = Str::random(16) . '-' . $uploadedFile->getClientOriginalExtension(); while ($storage->exists($this->adjustPathForStorageDisk($basePath . $uploadFileName))) { $uploadFileName = Str::random(3) . $uploadFileName; } diff --git a/app/Uploads/ImageRepo.php b/app/Uploads/ImageRepo.php index 694560a14..67297f308 100644 --- a/app/Uploads/ImageRepo.php +++ b/app/Uploads/ImageRepo.php @@ -11,36 +11,15 @@ use Symfony\Component\HttpFoundation\File\UploadedFile; class ImageRepo { - protected $image; protected $imageService; protected $restrictionService; - protected $page; - - protected static $supportedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp']; /** * ImageRepo constructor. */ - public function __construct( - Image $image, - ImageService $imageService, - PermissionService $permissionService, - Page $page - ) { - $this->image = $image; + public function __construct(ImageService $imageService, PermissionService $permissionService) { $this->imageService = $imageService; $this->restrictionService = $permissionService; - $this->page = $page; - } - - /** - * Check if the given image extension is supported by BookStack. - * The extension must not be altered in this function. This check should provide a guarantee - * that the provided extension is safe to use for the image to be saved. - */ - public function imageExtensionSupported(string $extension): bool - { - return in_array($extension, static::$supportedExtensions); } /** @@ -48,7 +27,7 @@ class ImageRepo */ public function getById($id): Image { - return $this->image->findOrFail($id); + return Image::query()->findOrFail($id); } /** @@ -61,7 +40,7 @@ class ImageRepo $hasMore = count($images) > $pageSize; $returnImages = $images->take($pageSize); - $returnImages->each(function ($image) { + $returnImages->each(function (Image $image) { $this->loadThumbs($image); }); @@ -83,7 +62,7 @@ class ImageRepo string $search = null, callable $whereClause = null ): array { - $imageQuery = $this->image->newQuery()->where('type', '=', strtolower($type)); + $imageQuery = Image::query()->where('type', '=', strtolower($type)); if ($uploadedTo !== null) { $imageQuery = $imageQuery->where('uploaded_to', '=', $uploadedTo); @@ -114,7 +93,8 @@ class ImageRepo int $uploadedTo = null, string $search = null ): array { - $contextPage = $this->page->findOrFail($uploadedTo); + /** @var Page $contextPage */ + $contextPage = Page::visible()->findOrFail($uploadedTo); $parentFilter = null; if ($filterType === 'book' || $filterType === 'page') { @@ -149,7 +129,7 @@ class ImageRepo * * @throws ImageUploadException */ - public function saveNewFromData(string $imageName, string $imageData, string $type, int $uploadedTo = 0) + public function saveNewFromData(string $imageName, string $imageData, string $type, int $uploadedTo = 0): Image { $image = $this->imageService->saveNew($imageName, $imageData, $type, $uploadedTo); $this->loadThumbs($image); @@ -158,13 +138,13 @@ class ImageRepo } /** - * Save a drawing the the database. + * Save a drawing in the database. * * @throws ImageUploadException */ public function saveDrawing(string $base64Uri, int $uploadedTo): Image { - $name = 'Drawing-' . strval(user()->id) . '-' . strval(time()) . '.png'; + $name = 'Drawing-' . user()->id . '-' . time() . '.png'; return $this->imageService->saveNewFromBase64Uri($base64Uri, $name, 'drawio', $uploadedTo); } @@ -172,7 +152,6 @@ class ImageRepo /** * Update the details of an image via an array of properties. * - * @throws ImageUploadException * @throws Exception */ public function updateImageDetails(Image $image, $updateDetails): Image @@ -189,13 +168,11 @@ class ImageRepo * * @throws Exception */ - public function destroyImage(Image $image = null): bool + public function destroyImage(Image $image = null): void { if ($image) { $this->imageService->destroy($image); } - - return true; } /** @@ -203,9 +180,9 @@ class ImageRepo * * @throws Exception */ - public function destroyByType(string $imageType) + public function destroyByType(string $imageType): void { - $images = $this->image->where('type', '=', $imageType)->get(); + $images = Image::query()->where('type', '=', $imageType)->get(); foreach ($images as $image) { $this->destroyImage($image); } @@ -213,25 +190,21 @@ class ImageRepo /** * Load thumbnails onto an image object. - * - * @throws Exception */ - public function loadThumbs(Image $image) + public function loadThumbs(Image $image): void { - $image->thumbs = [ + $image->setAttribute('thumbs', [ 'gallery' => $this->getThumbnail($image, 150, 150, false), 'display' => $this->getThumbnail($image, 1680, null, true), - ]; + ]); } /** * Get the thumbnail for an image. * If $keepRatio is true only the width will be used. * Checks the cache then storage to avoid creating / accessing the filesystem on every check. - * - * @throws Exception */ - protected function getThumbnail(Image $image, ?int $width = 220, ?int $height = 220, bool $keepRatio = false): ?string + protected function getThumbnail(Image $image, ?int $width, ?int $height, bool $keepRatio): ?string { try { return $this->imageService->getThumbnail($image, $width, $height, $keepRatio); diff --git a/app/Uploads/ImageService.php b/app/Uploads/ImageService.php index d6c74c751..0c3dfc47d 100644 --- a/app/Uploads/ImageService.php +++ b/app/Uploads/ImageService.php @@ -11,11 +11,14 @@ use Illuminate\Contracts\Filesystem\FileNotFoundException; use Illuminate\Contracts\Filesystem\Filesystem as FileSystemInstance; use Illuminate\Contracts\Filesystem\Filesystem as Storage; use Illuminate\Support\Facades\DB; +use Illuminate\Support\Facades\Log; use Illuminate\Support\Str; use Intervention\Image\Exception\NotSupportedException; use Intervention\Image\ImageManager; use League\Flysystem\Util; +use Psr\SimpleCache\InvalidArgumentException; use Symfony\Component\HttpFoundation\File\UploadedFile; +use Symfony\Component\HttpFoundation\StreamedResponse; class ImageService { @@ -25,6 +28,8 @@ class ImageService protected $image; protected $fileSystem; + protected static $supportedExtensions = ['jpg', 'jpeg', 'png', 'gif', 'webp']; + /** * ImageService constructor. */ @@ -39,11 +44,20 @@ class ImageService /** * Get the storage that will be used for storing images. */ - protected function getStorage(string $imageType = ''): FileSystemInstance + protected function getStorageDisk(string $imageType = ''): FileSystemInstance { return $this->fileSystem->disk($this->getStorageDiskName($imageType)); } + /** + * Check if local secure image storage (Fetched behind authentication) + * is currently active in the instance. + */ + protected function usingSecureImages(): bool + { + return $this->getStorageDiskName('gallery') === 'local_secure_images'; + } + /** * Change the originally provided path to fit any disk-specific requirements. * This also ensures the path is kept to the expected root folders. @@ -126,7 +140,7 @@ class ImageService */ public function saveNew(string $imageName, string $imageData, string $type, int $uploadedTo = 0): Image { - $storage = $this->getStorage($type); + $storage = $this->getStorageDisk($type); $secureUploads = setting('app-secure-images'); $fileName = $this->cleanImageFileName($imageName); @@ -144,7 +158,7 @@ class ImageService try { $this->saveImageDataInPublicSpace($storage, $this->adjustPathForStorageDisk($fullPath, $type), $imageData); } catch (Exception $e) { - \Log::error('Error when attempting image upload:' . $e->getMessage()); + Log::error('Error when attempting image upload:' . $e->getMessage()); throw new ImageUploadException(trans('errors.path_not_writable', ['filePath' => $fullPath])); } @@ -218,18 +232,10 @@ class ImageService * Get the thumbnail for an image. * If $keepRatio is true only the width will be used. * Checks the cache then storage to avoid creating / accessing the filesystem on every check. - * - * @param Image $image - * @param int $width - * @param int $height - * @param bool $keepRatio - * * @throws Exception - * @throws ImageUploadException - * - * @return string + * @throws InvalidArgumentException */ - public function getThumbnail(Image $image, $width = 220, $height = 220, $keepRatio = false) + public function getThumbnail(Image $image, ?int $width, ?int $height, bool $keepRatio = false): string { if ($keepRatio && $this->isGif($image)) { return $this->getPublicUrl($image->path); @@ -243,7 +249,7 @@ class ImageService return $this->getPublicUrl($thumbFilePath); } - $storage = $this->getStorage($image->type); + $storage = $this->getStorageDisk($image->type); if ($storage->exists($this->adjustPathForStorageDisk($thumbFilePath, $image->type))) { return $this->getPublicUrl($thumbFilePath); } @@ -257,27 +263,16 @@ class ImageService } /** - * Resize image data. - * - * @param string $imageData - * @param int $width - * @param int $height - * @param bool $keepRatio + * Resize the image of given data to the specified size, and return the new image data. * * @throws ImageUploadException - * - * @return string */ - protected function resizeImage(string $imageData, $width = 220, $height = null, bool $keepRatio = true) + protected function resizeImage(string $imageData, ?int $width, ?int $height, bool $keepRatio): string { try { $thumb = $this->imageTool->make($imageData); - } catch (Exception $e) { - if ($e instanceof ErrorException || $e instanceof NotSupportedException) { - throw new ImageUploadException(trans('errors.cannot_create_thumbs')); - } - - throw $e; + } catch (ErrorException | NotSupportedException $e) { + throw new ImageUploadException(trans('errors.cannot_create_thumbs')); } if ($keepRatio) { @@ -307,7 +302,7 @@ class ImageService */ public function getImageData(Image $image): string { - $storage = $this->getStorage(); + $storage = $this->getStorageDisk(); return $storage->get($this->adjustPathForStorageDisk($image->path, $image->type)); } @@ -330,7 +325,7 @@ class ImageService protected function destroyImagesFromPath(string $path, string $imageType): bool { $path = $this->adjustPathForStorageDisk($path, $imageType); - $storage = $this->getStorage($imageType); + $storage = $this->getStorageDisk($imageType); $imageFolder = dirname($path); $imageFileName = basename($path); @@ -417,7 +412,7 @@ class ImageService } $storagePath = $this->adjustPathForStorageDisk($storagePath); - $storage = $this->getStorage(); + $storage = $this->getStorageDisk(); $imageData = null; if ($storage->exists($storagePath)) { $imageData = $storage->get($storagePath); @@ -435,6 +430,41 @@ class ImageService return 'data:image/' . $extension . ';base64,' . base64_encode($imageData); } + /** + * Check if the given path exists in the local secure image system. + * Returns false if local_secure is not in use. + */ + public function pathExistsInLocalSecure(string $imagePath): bool + { + $disk = $this->getStorageDisk('gallery'); + + // Check local_secure is active + return $this->usingSecureImages() + // Check the image file exists + && $disk->exists($imagePath) + // Check the file is likely an image file + && strpos($disk->getMimetype($imagePath), 'image/') === 0; + } + + /** + * For the given path, if existing, provide a response that will stream the image contents. + */ + public function streamImageFromStorageResponse(string $imageType, string $path): StreamedResponse + { + $disk = $this->getStorageDisk($imageType); + return $disk->response($path); + } + + /** + * Check if the given image extension is supported by BookStack. + * The extension must not be altered in this function. This check should provide a guarantee + * that the provided extension is safe to use for the image to be saved. + */ + public static function isExtensionSupported(string $extension): bool + { + return in_array($extension, static::$supportedExtensions); + } + /** * Get a storage path for the given image URL. * Ensures the path will start with "uploads/images". @@ -476,7 +506,7 @@ class ImageService */ private function getPublicUrl(string $filePath): string { - if ($this->storageUrl === null) { + if (is_null($this->storageUrl)) { $storageUrl = config('filesystems.url'); // Get the standard public s3 url if s3 is set as storage type @@ -490,6 +520,7 @@ class ImageService $storageUrl = 'https://s3-' . $storageDetails['region'] . '.amazonaws.com/' . $storageDetails['bucket']; } } + $this->storageUrl = $storageUrl; } diff --git a/app/Util/WebSafeMimeSniffer.php b/app/Util/WebSafeMimeSniffer.php new file mode 100644 index 000000000..a896bd9e5 --- /dev/null +++ b/app/Util/WebSafeMimeSniffer.php @@ -0,0 +1,65 @@ +buffer($content) ?: 'application/octet-stream'; + + if (in_array($mime, $this->safeMimes)) { + return $mime; + } + + [$category] = explode('/', $mime, 2); + if ($category === 'text') { + return 'text/plain'; + } + + return 'application/octet-stream'; + } + +} \ No newline at end of file diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php index 60fd370b6..1682577bf 100644 --- a/tests/Uploads/AttachmentTest.php +++ b/tests/Uploads/AttachmentTest.php @@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment; use BookStack\Uploads\AttachmentService; use Illuminate\Http\UploadedFile; use Tests\TestCase; +use Tests\TestResponse; class AttachmentTest extends TestCase { @@ -44,6 +45,20 @@ class AttachmentTest extends TestCase return Attachment::query()->latest()->first(); } + /** + * Create a new upload attachment from the given data. + */ + protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment + { + $file = tmpfile(); + $filePath = stream_get_meta_data($file)['uri']; + file_put_contents($filePath, $content); + $upload = new UploadedFile($filePath, $filename, $mimeType, null, true); + + $this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []); + return $page->attachments()->latest()->firstOrFail(); + } + /** * Delete all uploaded files. * To assist with cleanup. @@ -94,7 +109,8 @@ class AttachmentTest extends TestCase $attachment = Attachment::query()->orderBy('id', 'desc')->first(); $this->assertStringNotContainsString($fileName, $attachment->path); - $this->assertStringEndsWith('.txt', $attachment->path); + $this->assertStringEndsWith('-txt', $attachment->path); + $this->deleteUploads(); } public function test_file_display_and_access() @@ -305,7 +321,24 @@ class AttachmentTest extends TestCase // http-foundation/Response does some 'fixing' of responses to add charsets to text responses. $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8'); $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"'); + $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff'); $this->deleteUploads(); } + + public function test_html_file_access_with_open_forces_plain_content_type() + { + $page = Page::query()->first(); + $this->asAdmin(); + + $attachment = $this->createUploadAttachment($page, 'test_file.html', '

testing

', 'text/html'); + + $attachmentGet = $this->get($attachment->getUrl(true)); + // http-foundation/Response does some 'fixing' of responses to add charsets to text responses. + $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8'); + $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"'); + + $this->deleteUploads(); + } + } diff --git a/tests/Uploads/ImageTest.php b/tests/Uploads/ImageTest.php index 69b6dc90e..296e4d187 100644 --- a/tests/Uploads/ImageTest.php +++ b/tests/Uploads/ImageTest.php @@ -241,6 +241,36 @@ class ImageTest extends TestCase } } + public function test_secure_image_paths_traversal_causes_500() + { + config()->set('filesystems.images', 'local_secure'); + $this->asEditor(); + + $resp = $this->get('/uploads/images/../../logs/laravel.log'); + $resp->assertStatus(500); + } + + public function test_secure_image_paths_traversal_on_non_secure_images_causes_404() + { + config()->set('filesystems.images', 'local'); + $this->asEditor(); + + $resp = $this->get('/uploads/images/../../logs/laravel.log'); + $resp->assertStatus(404); + } + + public function test_secure_image_paths_dont_serve_non_images() + { + config()->set('filesystems.images', 'local_secure'); + $this->asEditor(); + + $testFilePath = storage_path('/uploads/images/testing.txt'); + file_put_contents($testFilePath, 'hello from test_secure_image_paths_dont_serve_non_images'); + + $resp = $this->get('/uploads/images/testing.txt'); + $resp->assertStatus(404); + } + public function test_secure_images_included_in_exports() { config()->set('filesystems.images', 'local_secure');