Commit Graph

28 Commits

Author SHA1 Message Date
c76b5e2ec4 Fixed local_secure_restricted preventing attachment uploads
Due to option name change and therefore lack of handling.
Added test case to cover.
2022-09-02 14:40:17 +01:00
27ac122502 Started work on local_secure_restricted image option 2022-09-01 16:17:14 +01:00
abc283fc64 Extracted download response logic to its own class
Cleans up base controller and groups up download & streaming logic for
potential future easier addition of range request support.
2022-06-08 23:50:42 +01:00
2b0ae23da0 Updated composer deps, applied latest StyleCI changes 2022-04-24 18:22:40 +01:00
cb770c534d Added streamed uploads for attachments 2022-04-02 18:46:48 +01:00
82e8b1577e Updated attachment download responses to stream from filesystem
This allows download of attachments that are larger than current memory
limits, since we're not loading the entire file into memory any more.

For inline file responses, we take a 1kb portion of the file to sniff
before to check mime before we proceed.
2022-04-02 18:07:43 +01:00
85154fff69 Added an env configurable file upload size limit
Replaces the old suggestion of setting JS head 'window.uploadLimit'
variable. This new env option will be used by back-end validation and
front-end libs/logic too.

Limits already likely exist within prod environments at a PHP and
webserver level but this allows an app-level limit and centralises the
option on the BookStack side into the .env

Closes #3033
2021-11-14 22:03:22 +00:00
bc291bee78 Added inital phpstan/larastan setup 2021-11-05 16:18:06 +00:00
bfbccbede1 Updated attachments to not be saved with a complete extension
Intended to limit impact in the event the storage path is potentially
exposed.
2021-11-01 11:32:00 +00:00
43830a372f Updated showImage file serving to not be traversable
For #3030
2021-10-31 23:53:17 +00:00
859934d6a3 Applied latest changes from styleCI 2021-10-20 10:49:45 +01:00
2409d1850f Added TestCase for attachments API methods 2021-10-20 00:58:56 +01:00
32f6ea946f Build out core attachments API controller
Related to #2942
2021-10-18 17:46:55 +01:00
a9b3df537f Applied changes from styleci 2021-10-08 22:23:17 +01:00
7224fbcc89 Added protections against path traversal in file system operations
- Files within the storage/ path could be accessed via path traversal
  references in content, accessed upon HTML export.
- This addresses this via two layers:
  - Scoped local flysystem filesystems down to the specific image &
    file folders since flysystem has built-in checking against the
    escaping of the root folder.
  - Added path normalization before enforcement of uploads/{images,file}
    prefix to prevent traversal at a path level.

Thanks to @Haxatron via huntr.dev for discovery and reporting.
Ref: https://huntr.dev/bounties/ac268a17-72b5-446f-a09a-9945ef58607a/
2021-10-08 17:47:14 +01:00
05d99a312d Applied styleci changes 2021-09-26 15:48:22 +01:00
c32b315cd7 Standardised facade usage to use via their FQCN
Done via Laravel Shift Workbench
2021-09-26 15:37:55 +01:00
934a833818 Apply fixes from StyleCI 2021-06-26 15:23:15 +00:00
888f435651 Added back-end attachments-in-browser support
A query string will cause attachments to be provided inline
with an appropriate mime type.
Remaining actions:
- Tests
- Front-end functionality
- Config option?
2021-06-06 00:51:06 +01:00
60ffe6a993 Updated packages and added better upload failure logging
To fix #2689
Updates all packages but mainly focused on aws-sdk
2021-04-19 20:16:49 +01:00
7d38c96a23 Removed generic "UploadService" which was doing very little 2020-12-06 12:58:40 +00:00
349162ea13 Prevented possible XSS via link attachments
This filters out potentially malicious javascript: or data: uri's coming
through to be attached to attachments.
Added tests to cover.

Thanks to Yassine ABOUKIR (@yassineaboukir on twitter) for reporting this
vulnerability.
2020-10-31 15:01:52 +00:00
14b6cd1091 Started migration of attachment manager from vue
- Created new dropzone component.
- Added standard component event system using custom DOM events.
- Added tabs component.
- Added ajax-delete-row component.
2020-06-30 22:12:45 +01:00
140298bd96 Updated to Laravel 5.8 2019-09-13 23:58:40 +01:00
762d1d7595 Allowed different storage types for images and attachments
- Added new env and config vars to allow this.
- Also added tests for awkward config logic including fallback for new
env vars.

Closes #1302
2019-06-23 16:01:15 +01:00
193e2ffebe Prevent dbl exts. on img upload, Randomized attachment upload names 2019-03-24 19:08:21 +00:00
257a5a23ec Fleshed out entity provided and optimized imports 2018-09-25 16:58:03 +01:00
919660678b Re-structured the app code to be feature based rather than code type based 2018-09-25 12:30:50 +01:00