Merge commit from fork

feat: Restrict image upload file extensions and mime types for the GrapesJsEditor (5.2)

Author: escopecz

app/bundles/CoreBundle/Config/config.php

@@ -347,6 +347,7 @@
                 'class'     => Mautic\CoreBundle\Helper\FileUploader::class,
                 'arguments' => [
                     'mautic.helper.file_path_resolver',
+                    'translator',
                 ],
             ],
             'mautic.helper.file_path_resolver' => [

app/bundles/CoreBundle/Controller/FileController.php

@@ -6,6 +6,8 @@
 use Mautic\CoreBundle\Helper\FileUploader;
 use Mautic\CoreBundle\Helper\InputHelper;
 use Mautic\CoreBundle\Helper\PathsHelper;
+use Symfony\Component\HttpFoundation\File\File;
+use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -16,16 +18,6 @@ class FileController extends AjaxController
 
     public const EDITOR_CKEDITOR = 'ckeditor';
 
-    protected $imageMimes = [
-        'image/gif',
-        'image/jpeg',
-        'image/pjpeg',
-        'image/jpeg',
-        'image/pjpeg',
-        'image/png',
-        'image/x-png',
-    ];
-
     protected $response = [];
 
     protected $statusCode = Response::HTTP_OK;
@@ -41,10 +33,12 @@ public function uploadAction(Request $request, PathsHelper $pathsHelper, FileUpl
         $mediaDir = $this->getMediaAbsolutePath($pathsHelper);
         if (!isset($this->response['error'])) {
             foreach ($request->files as $file) {
-                if (in_array($file->getMimeType(), $this->imageMimes)) {
+                /** @var UploadedFile $file */
+                try {
+                    $fileUploader->validateImage($file);
                     $fileName = $fileUploader->upload($mediaDir, $file);
                     $this->successfulResponse($request, $fileName, $editor);
-                } else {
+                } catch (FileUploadException) {
                     $this->failureResponse($editor);
                 }
             }
@@ -56,20 +50,25 @@ public function uploadAction(Request $request, PathsHelper $pathsHelper, FileUpl
     /**
      * List the files in /media directory.
      */
-    public function listAction(Request $request, PathsHelper $pathsHelper): JsonResponse
+    public function listAction(Request $request, PathsHelper $pathsHelper, FileUploader $fileUploader): JsonResponse
     {
         $fnames = scandir($this->getMediaAbsolutePath($pathsHelper));
 
         if ($fnames) {
             foreach ($fnames as $name) {
                 $imagePath = $this->getMediaAbsolutePath($pathsHelper).'/'.$name;
                 $imageUrl  = $this->getMediaUrl($request).'/'.$name;
-                if (!is_dir($name) && in_array(mime_content_type($imagePath), $this->imageMimes)) {
-                    $this->response[] = [
-                        'url'   => $imageUrl,
-                        'thumb' => $imageUrl,
-                        'name'  => $name,
-                    ];
+                $imageFile = new File($imagePath, checkPath: false);
+                if (!is_dir($name)) {
+                    try {
+                        $fileUploader->validateImage($imageFile);
+                        $this->response[] = [
+                            'url'   => $imageUrl,
+                            'thumb' => $imageUrl,
+                            'name'  => $name,
+                        ];
+                    } catch (FileUploadException) {
+                    }
                 }
             }
         } else {

app/bundles/CoreBundle/Helper/FileUploader.php

@@ -4,13 +4,37 @@
 
 use Mautic\CoreBundle\Exception\FilePathException;
 use Mautic\CoreBundle\Exception\FileUploadException;
+use Mautic\CoreBundle\Translation\Translator;
 use Symfony\Component\HttpFoundation\File\Exception\FileException;
+use Symfony\Component\HttpFoundation\File\File;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 
 class FileUploader
 {
+    /** @var string[] */
+    protected array $imageMimes = [
+        'image/gif',
+        'image/jpeg',
+        'image/pjpeg',
+        'image/png',
+        'image/x-png',
+        'image/webp',
+        'image/svg+xml',
+    ];
+
+    /** @var string[] */
+    protected array $imageExtensions = [
+        'jpg',
+        'jpeg',
+        'png',
+        'gif',
+        'webp',
+        'svg',
+    ];
+
     public function __construct(
-        private FilePathResolver $filePathResolver
+        private FilePathResolver $filePathResolver,
+        private Translator $translator,
     ) {
     }
 
@@ -32,18 +56,72 @@ public function upload($uploadDir, UploadedFile $file)
 
                 return $fileName;
             } catch (FileException) {
-                throw new FileUploadException('Could not upload file');
+                throw new FileUploadException($this->translator->trans('mautic.core.fileuploader.upload_error'));
             }
         } catch (FilePathException $e) {
             throw new FileUploadException($e->getMessage());
         }
     }
 
+    /**
+     * Verify that the file is an image.
+     *
+     * @throws FileUploadException
+     */
+    public function validateImage(File $file): void
+    {
+        // Check if the file is an image
+        if (!in_array($file->getMimeType(), $this->getAllowedImageMimeTypes())) {
+            throw new FileUploadException($this->translator->trans('mautic.core.fileuploader.unsupported_image', ['%types%' => implode(', ', $this->getAllowedImageExtensions())]));
+        }
+        // Also check the file extension
+        $extension = strtolower(pathinfo($file instanceof UploadedFile ? $file->getClientOriginalName() : $file->getFilename(), PATHINFO_EXTENSION));
+        if (!in_array($extension, $this->getAllowedImageExtensions())) {
+            throw new FileUploadException($this->translator->trans('mautic.core.fileuploader.unsupported_image', ['%types%' => implode(', ', $this->getAllowedImageExtensions())]));
+        }
+    }
+
     /**
      * @param string $path
      */
     public function delete($path): void
     {
         $this->filePathResolver->delete($path);
     }
+
+    /**
+     * @return string[]
+     */
+    public function getAllowedImageMimeTypes(): array
+    {
+        return $this->imageMimes;
+    }
+
+    /**
+     * @return string[]
+     */
+    public function getAllowedImageExtensions(): array
+    {
+        return $this->imageExtensions;
+    }
+
+    /**
+     * Allow compiler passes to add additional image MIME types.
+     */
+    public function addAllowedImageMimeType(string $mimeType): self
+    {
+        $this->imageMimes[] = $mimeType;
+
+        return $this;
+    }
+
+    /**
+     * Allow compiler passes to add additional image extensions.
+     */
+    public function addAllowedImageExtension(string $extension): self
+    {
+        $this->imageExtensions[] = $extension;
+
+        return $this;
+    }
 }

app/bundles/CoreBundle/Tests/Unit/Helper/FileUploaderTest.php

@@ -6,6 +6,7 @@
 use Mautic\CoreBundle\Exception\FileUploadException;
 use Mautic\CoreBundle\Helper\FilePathResolver;
 use Mautic\CoreBundle\Helper\FileUploader;
+use Mautic\CoreBundle\Translation\Translator;
 use Symfony\Component\HttpFoundation\File\Exception\FileException;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 
@@ -25,6 +26,10 @@ public function testSuccessfulUpload(): void
             ->disableOriginalConstructor()
             ->getMock();
 
+        $translatorMock = $this->getMockBuilder(Translator::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
         $fileMock = $this->getMockBuilder(UploadedFile::class)
             ->disableOriginalConstructor()
             ->getMock();
@@ -42,7 +47,7 @@ public function testSuccessfulUpload(): void
             ->method('createDirectory')
             ->with($uploadDir);
 
-        $fileUploader = new FileUploader($filePathResolverMock);
+        $fileUploader = new FileUploader($filePathResolverMock, $translatorMock);
 
         $fileUploader->upload($uploadDir, $fileMock);
     }
@@ -61,6 +66,10 @@ public function testCouldNotCreateDirectory(): void
             ->disableOriginalConstructor()
             ->getMock();
 
+        $translatorMock = $this->getMockBuilder(Translator::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
         $fileMock = $this->getMockBuilder(UploadedFile::class)
             ->disableOriginalConstructor()
             ->getMock();
@@ -78,7 +87,7 @@ public function testCouldNotCreateDirectory(): void
             ->with($uploadDir)
             ->willThrowException(new FilePathException('Could not create directory'));
 
-        $fileUploader = new FileUploader($filePathResolverMock);
+        $fileUploader = new FileUploader($filePathResolverMock, $translatorMock);
 
         $this->expectException(FileUploadException::class);
         $this->expectExceptionMessage('Could not create directory');
@@ -100,6 +109,13 @@ public function testCouldNotMoveFile(): void
             ->disableOriginalConstructor()
             ->getMock();
 
+        $translatorMock = $this->getMockBuilder(Translator::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
+        $translatorMock->method('trans')
+            ->willReturn('Could not upload filed');
+
         $fileMock = $this->getMockBuilder(UploadedFile::class)
             ->disableOriginalConstructor()
             ->getMock();
@@ -118,7 +134,7 @@ public function testCouldNotMoveFile(): void
             ->method('createDirectory')
             ->with($uploadDir);
 
-        $fileUploader = new FileUploader($filePathResolverMock);
+        $fileUploader = new FileUploader($filePathResolverMock, $translatorMock);
 
         $this->expectException(FileUploadException::class);
         $this->expectExceptionMessage('Could not upload file');
@@ -139,11 +155,15 @@ public function testDeleteFile(): void
             ->disableOriginalConstructor()
             ->getMock();
 
+        $translatorMock = $this->getMockBuilder(Translator::class)
+            ->disableOriginalConstructor()
+            ->getMock();
+
         $filePathResolverMock->expects($this->once())
             ->method('delete')
             ->with($file);
 
-        $fileUploader = new FileUploader($filePathResolverMock);
+        $fileUploader = new FileUploader($filePathResolverMock, $translatorMock);
 
         $fileUploader->delete($file);
     }

app/bundles/CoreBundle/Translations/en_US/messages.ini

@@ -801,3 +801,6 @@ mautic.placeholder_tokens.introducing_tokens.title="Introducing tokens"
 mautic.placeholder_tokens.introducing_tokens.description="Tokens are placeholders used within emails, landing pages, and other communications, which automatically get replaced with personalized information (like a contact's name, email, or custom field data) when the message is sent."
 mautic.placeholder_tokens.fallback_text_info="The default value is specified after the | character. For example, if a contact doesn't have a First name while using this token <code>Hi {contactfield=firstname|there}</code>, the email will send the phrase as <code>Hi there</code>."
 mautic.core.theme.form.confirm.unhide="Show the theme, %theme%?"
+
+mautic.core.fileuploader.upload_error="Could not upload file"
+mautic.core.fileuploader.unsupported_image="Unsupported image type or corrupt file. Allowed types are: %types%."

plugins/GrapesJsBuilderBundle/Assets/library/js/builder.service.js

@@ -88,6 +88,10 @@ export default class BuilderService {
       });
     });
 
+    this.editor.on('asset:upload:error', (error) => {
+      Mautic.setFlashes(Mautic.addErrorFlashMessage(error));
+    });
+
     this.editor.on('asset:open', () => {
       const editor = this.editor;
       const assetsService = this.assetService;

plugins/GrapesJsBuilderBundle/Assets/library/js/dist/builder.js

@@ -5,18 +5,26 @@
 namespace MauticPlugin\GrapesJsBuilderBundle\Controller;
 
 use Mautic\CoreBundle\Controller\AjaxController;
+use Mautic\CoreBundle\Exception\FileUploadException;
 use MauticPlugin\GrapesJsBuilderBundle\Helper\FileManager;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
 
 class FileManagerController extends AjaxController
 {
     private const DEFAULT_PAGE  = 1;
     private const DEFAULT_LIMIT = 20;
 
-    public function uploadAction(Request $request, FileManager $fileManager): JsonResponse
+    public function uploadAction(Request $request, FileManager $fileManager): Response
     {
-        return $this->sendJsonResponse(['data'=> $fileManager->uploadFiles($request)]);
+        try {
+            $response = $this->sendJsonResponse(['data'=> $fileManager->uploadFiles($request)]);
+        } catch (FileUploadException $error) {
+            return new Response($error->getMessage(), Response::HTTP_BAD_REQUEST);
+        }
+
+        return $response;
     }
 
     public function deleteAction(Request $request, FileManager $fileManager): JsonResponse

plugins/GrapesJsBuilderBundle/Controller/FileManagerController.php

@@ -20,12 +20,14 @@ class FileManager
     public function __construct(
         private FileUploader $fileUploader,
         private CoreParametersHelper $coreParametersHelper,
-        private PathsHelper $pathsHelper
+        private PathsHelper $pathsHelper,
     ) {
     }
 
     /**
      * @return array
+     *
+     * @throws FileUploadException
      */
     public function uploadFiles($request)
     {
@@ -35,10 +37,11 @@ public function uploadFiles($request)
             $uploadedFiles = [];
 
             foreach ($files as $file) {
-                try {
-                    $uploadedFiles[] =  $this->getFullUrl($this->fileUploader->upload($uploadDir, $file));
-                } catch (FileUploadException) {
-                }
+                $this->fileUploader->validateImage($file);
+            }
+
+            foreach ($files as $file) {
+                $uploadedFiles[] =  $this->getFullUrl($this->fileUploader->upload($uploadDir, $file));
             }
         }