mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2026-02-26 03:19:36 +00:00
a1fd3199d6
This makes it consistent with the public paths and ensures all HTML is only rendered in our sandbox
174 lines
6.7 KiB
PHP
174 lines
6.7 KiB
PHP
<?php
|
|
/**
|
|
* This file is part of Part-DB (https://github.com/Part-DB/Part-DB-symfony).
|
|
*
|
|
* Copyright (C) 2019 - 2022 Jan Böhmer (https://github.com/jbtronics)
|
|
*
|
|
* This program is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU Affero General Public License as published
|
|
* by the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU Affero General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Affero General Public License
|
|
* along with this program. If not, see <https://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
declare(strict_types=1);
|
|
|
|
namespace App\Controller;
|
|
|
|
use App\DataTables\AttachmentDataTable;
|
|
use App\DataTables\Filters\AttachmentFilter;
|
|
use App\DataTables\PartsDataTable;
|
|
use App\Entity\Attachments\Attachment;
|
|
use App\Form\Filters\AttachmentFilterType;
|
|
use App\Services\Attachments\AttachmentManager;
|
|
use App\Services\Trees\NodesListBuilder;
|
|
use App\Settings\BehaviorSettings\TableSettings;
|
|
use App\Settings\SystemSettings\AttachmentsSettings;
|
|
use Omines\DataTablesBundle\DataTableFactory;
|
|
use RuntimeException;
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
use Symfony\Component\HttpFoundation\BinaryFileResponse;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
use Symfony\Component\HttpFoundation\ResponseHeaderBag;
|
|
use Symfony\Component\Routing\Attribute\Route;
|
|
|
|
class AttachmentFileController extends AbstractController
|
|
{
|
|
|
|
public function __construct(private readonly AttachmentManager $helper)
|
|
{
|
|
|
|
}
|
|
|
|
#[Route(path: '/attachment/{id}/sandbox', name: 'attachment_html_sandbox')]
|
|
public function htmlSandbox(Attachment $attachment, AttachmentsSettings $attachmentsSettings): Response
|
|
{
|
|
//Check if the sandbox is enabled in the settings, as it can be a security risk if used without proper precautions, so it should be opt-in
|
|
if (!$attachmentsSettings->showHTMLAttachments) {
|
|
throw $this->createAccessDeniedException('The HTML sandbox for attachments is disabled in the settings, as it can be a security risk if used without proper precautions. Please enable it in the settings if you want to use it.');
|
|
}
|
|
|
|
$this->checkPermissions($attachment);
|
|
|
|
$file_path = $this->helper->toAbsoluteInternalFilePath($attachment);
|
|
|
|
$attachmentContent = file_get_contents($file_path);
|
|
|
|
$response = $this->render('attachments/html_sandbox.html.twig', [
|
|
'attachment' => $attachment,
|
|
'content' => $attachmentContent,
|
|
]);
|
|
|
|
//Set an CSP that allows to run inline scripts, styles and images from external ressources, but does not allow any connections or others.
|
|
//Also set the sandbox CSP directive with only "allow-script" to run basic scripts
|
|
$response->headers->set('Content-Security-Policy', "default-src 'none'; script-src 'unsafe-inline'; style-src 'unsafe-inline'; img-src data:; sandbox allow-scripts;");
|
|
|
|
//Forbid to embed the attachment render page in an iframe to prevent clickjacking, as it is not used anywhere else for now
|
|
$response->headers->set('X-Frame-Options', 'DENY');
|
|
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* Download the selected attachment.
|
|
*/
|
|
#[Route(path: '/attachment/{id}/download', name: 'attachment_download')]
|
|
public function download(Attachment $attachment): BinaryFileResponse
|
|
{
|
|
$this->checkPermissions($attachment);
|
|
|
|
$file_path = $this->helper->toAbsoluteInternalFilePath($attachment);
|
|
$response = new BinaryFileResponse($file_path);
|
|
|
|
$response = $this->forbidHTMLContentType($response);
|
|
|
|
//Set header content disposition, so that the file will be downloaded
|
|
$response->setContentDisposition(ResponseHeaderBag::DISPOSITION_ATTACHMENT, $attachment->getFilename());
|
|
|
|
return $response;
|
|
}
|
|
|
|
/**
|
|
* View the attachment.
|
|
*/
|
|
#[Route(path: '/attachment/{id}/view', name: 'attachment_view')]
|
|
public function view(Attachment $attachment): BinaryFileResponse
|
|
{
|
|
$this->checkPermissions($attachment);
|
|
|
|
$file_path = $this->helper->toAbsoluteInternalFilePath($attachment);
|
|
$response = new BinaryFileResponse($file_path);
|
|
|
|
$response = $this->forbidHTMLContentType($response);
|
|
|
|
//Set header content disposition, so that the file will be downloaded
|
|
$response->setContentDisposition(ResponseHeaderBag::DISPOSITION_INLINE, $attachment->getFilename());
|
|
|
|
return $response;
|
|
}
|
|
|
|
private function forbidHTMLContentType(BinaryFileResponse $response): BinaryFileResponse
|
|
{
|
|
$mimeType = $response->getFile()->getMimeType();
|
|
|
|
if ($mimeType === 'text/html') {
|
|
$mimeType = 'text/plain';
|
|
}
|
|
|
|
$response->headers->set('Content-Type', $mimeType);
|
|
|
|
return $response;
|
|
}
|
|
|
|
private function checkPermissions(Attachment $attachment): void
|
|
{
|
|
$this->denyAccessUnlessGranted('read', $attachment);
|
|
|
|
if ($attachment->isSecure()) {
|
|
$this->denyAccessUnlessGranted('show_private', $attachment);
|
|
}
|
|
|
|
if (!$attachment->hasInternal()) {
|
|
throw $this->createNotFoundException('The file for this attachment is external and not stored locally!');
|
|
}
|
|
|
|
if (!$this->helper->isInternalFileExisting($attachment)) {
|
|
throw $this->createNotFoundException('The file associated with the attachment is not existing!');
|
|
}
|
|
}
|
|
|
|
#[Route(path: '/attachment/list', name: 'attachment_list')]
|
|
public function attachmentsTable(Request $request, DataTableFactory $dataTableFactory, NodesListBuilder $nodesListBuilder,
|
|
TableSettings $tableSettings): Response
|
|
{
|
|
$this->denyAccessUnlessGranted('@attachments.list_attachments');
|
|
|
|
$formRequest = clone $request;
|
|
$formRequest->setMethod('GET');
|
|
$filter = new AttachmentFilter($nodesListBuilder);
|
|
|
|
$filterForm = $this->createForm(AttachmentFilterType::class, $filter, ['method' => 'GET']);
|
|
|
|
$filterForm->handleRequest($formRequest);
|
|
|
|
$table = $dataTableFactory->createFromType(AttachmentDataTable::class, ['filter' => $filter], ['pageLength' => $tableSettings->fullDefaultPageSize, 'lengthMenu' => PartsDataTable::LENGTH_MENU])
|
|
->handleRequest($request);
|
|
|
|
if ($table->isCallback()) {
|
|
return $table->getResponse();
|
|
}
|
|
|
|
return $this->render('attachment_list.html.twig', [
|
|
'datatable' => $table,
|
|
'filterForm' => $filterForm,
|
|
]);
|
|
}
|
|
}
|