From ae155d67454d6b9f6c93b2bb457aaa4b2eb1a9ed Mon Sep 17 00:00:00 2001 From: Dan Brown Date: Sun, 31 Oct 2021 17:58:56 +0000 Subject: [PATCH] Added safe mime sniffing to prevent serving HTML (Amoung other content types) For #3027 --- app/Http/Controllers/Controller.php | 15 ++++--- app/Util/WebSafeMimeSniffer.php | 65 +++++++++++++++++++++++++++++ tests/Uploads/AttachmentTest.php | 32 ++++++++++++++ 3 files changed, 106 insertions(+), 6 deletions(-) create mode 100644 app/Util/WebSafeMimeSniffer.php diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index 283a01cfb..3bccdcda4 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers; use BookStack\Facades\Activity; use BookStack\Interfaces\Loggable; use BookStack\Model; +use BookStack\Util\WebSafeMimeSniffer; use finfo; use Illuminate\Foundation\Bus\DispatchesJobs; use Illuminate\Foundation\Validation\ValidatesRequests; @@ -117,8 +118,9 @@ abstract class Controller extends BaseController protected function downloadResponse(string $content, string $fileName): Response { return response()->make($content, 200, [ - 'Content-Type' => 'application/octet-stream', - 'Content-Disposition' => 'attachment; filename="' . $fileName . '"', + 'Content-Type' => 'application/octet-stream', + 'Content-Disposition' => 'attachment; filename="' . $fileName . '"', + 'X-Content-Type-Options' => 'nosniff', ]); } @@ -128,12 +130,13 @@ abstract class Controller extends BaseController */ protected function inlineDownloadResponse(string $content, string $fileName): Response { - $finfo = new finfo(FILEINFO_MIME_TYPE); - $mime = $finfo->buffer($content) ?: 'application/octet-stream'; + + $mime = (new WebSafeMimeSniffer)->sniff($content); return response()->make($content, 200, [ - 'Content-Type' => $mime, - 'Content-Disposition' => 'inline; filename="' . $fileName . '"', + 'Content-Type' => $mime, + 'Content-Disposition' => 'inline; filename="' . $fileName . '"', + 'X-Content-Type-Options' => 'nosniff', ]); } diff --git a/app/Util/WebSafeMimeSniffer.php b/app/Util/WebSafeMimeSniffer.php new file mode 100644 index 000000000..a896bd9e5 --- /dev/null +++ b/app/Util/WebSafeMimeSniffer.php @@ -0,0 +1,65 @@ +buffer($content) ?: 'application/octet-stream'; + + if (in_array($mime, $this->safeMimes)) { + return $mime; + } + + [$category] = explode('/', $mime, 2); + if ($category === 'text') { + return 'text/plain'; + } + + return 'application/octet-stream'; + } + +} \ No newline at end of file diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php index 60fd370b6..26f092bcc 100644 --- a/tests/Uploads/AttachmentTest.php +++ b/tests/Uploads/AttachmentTest.php @@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment; use BookStack\Uploads\AttachmentService; use Illuminate\Http\UploadedFile; use Tests\TestCase; +use Tests\TestResponse; class AttachmentTest extends TestCase { @@ -44,6 +45,20 @@ class AttachmentTest extends TestCase return Attachment::query()->latest()->first(); } + /** + * Create a new upload attachment from the given data. + */ + protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment + { + $file = tmpfile(); + $filePath = stream_get_meta_data($file)['uri']; + file_put_contents($filePath, $content); + $upload = new UploadedFile($filePath, $filename, $mimeType, null, true); + + $this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []); + return $page->attachments()->latest()->firstOrFail(); + } + /** * Delete all uploaded files. * To assist with cleanup. @@ -305,7 +320,24 @@ class AttachmentTest extends TestCase // http-foundation/Response does some 'fixing' of responses to add charsets to text responses. $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8'); $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"'); + $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff'); $this->deleteUploads(); } + + public function test_html_file_access_with_open_forces_plain_content_type() + { + $page = Page::query()->first(); + $this->asAdmin(); + + $attachment = $this->createUploadAttachment($page, 'test_file.html', '

testing

', 'text/html'); + + $attachmentGet = $this->get($attachment->getUrl(true)); + // http-foundation/Response does some 'fixing' of responses to add charsets to text responses. + $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8'); + $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"'); + + $this->deleteUploads(); + } + }