[+] Restrict filetype

SolidProgramming · SolidProgramming · commit ec887f0581cd · 2025-04-11T15:39:49.000+02:00
[+] Filetype error message CactuseSecurity#2696
diff --git a/roles/database/files/sql/idempotent/fworch-texts.sql b/roles/database/files/sql/idempotent/fworch-texts.sql
@@ -3113,6 +3113,9 @@ INSERT INTO txt VALUES ('E5422', 'English', 'Entry does not contain all required
 INSERT INTO txt VALUES ('E5423', 'German',  'IP-Adresse/IP-Bereich ist fehlerhaft');
 INSERT INTO txt VALUES ('E5423', 'English', 'IP Address/IP Range malformed');
 
+INSERT INTO txt VALUES ('E5430', 'German',  'Hochgeladener Dateityp ist nicht erlaubt');
+INSERT INTO txt VALUES ('E5430', 'English', 'Uploaded Filetype is not allowed');
+
 INSERT INTO txt VALUES ('E6001', 'German', 	'Der Re-Login war nicht erfolgreich. Haben Sie ein falsches Passwort eingegeben? Schauen Sie f&uuml;r Details bitte in die Logs.');
 INSERT INTO txt VALUES ('E6001', 'English', 'Re-login failed. Did you enter a wrong password? See log for details.');
 
diff --git a/roles/ui/files/FWO.UI/Pages/Settings/SettingsModelling.razor b/roles/ui/files/FWO.UI/Pages/Settings/SettingsModelling.razor
@@ -83,7 +83,7 @@
         <div class="form-group row mt-4" data-toggle="tooltip" title="@(userConfig.PureLine("H9055"))">
             <label class="col-form-label col-sm-4">@userConfig.GetText("import_app_server"):</label>
             <div class="row col-sm-6">
-                <FileUpload SupportedFileFormats=".csv" AuthorizedRoles="@Roles.Admin" TUploadResult="ErrorBaseModel" UploadCase="FileUploadCase.CustomLogoUpload"></FileUpload>
+                <FileUpload SupportedFileFormats=".csv" AuthorizedRoles="@Roles.Admin" TUploadResult="CSVFileUploadErrorModel" UploadCase="FileUploadCase.ImportAppServerFromCSV" OnAfterImportResults="OnAfterImportResults" OnError="OnAddAppServerError" OnImportSuccess="OnAppServerImportSuccess"></FileUpload>
             </div>
         </div>
         <hr />
diff --git a/roles/ui/files/FWO.UI/Services/FileUploadService.cs b/roles/ui/files/FWO.UI/Services/FileUploadService.cs
@@ -24,17 +24,26 @@ public class FileUploadService
         private readonly ModellingNamingConvention NamingConvention = new();
         private readonly List<AppServerType> AppServerTypes = [];
         private string ImportSource = "";
+        private readonly string AllowedFileFormats;
 
-        public FileUploadService(ApiConnection apiConnection, UserConfig userConfig)
+        public FileUploadService(ApiConnection apiConnection, UserConfig userConfig, string allowedFileFormats)
         {
             UserConfig = userConfig;
             ApiConnection = apiConnection;
             NamingConvention = JsonSerializer.Deserialize<ModellingNamingConvention>(userConfig.ModNamingConvention) ?? new();
             AppServerTypes = JsonSerializer.Deserialize<List<AppServerType>>(UserConfig.ModAppServerTypes) ?? [];
+            AllowedFileFormats = allowedFileFormats;
         }
 
         public async Task ReadFileToBytes(InputFileChangeEventArgs args)
         {
+            string fileExtension = Path.GetExtension(args.File.Name);
+
+            if(!AllowedFileFormats.Contains(fileExtension))
+            {
+                throw new ArgumentException(UserConfig.GetText("E5430"));
+            }
+
             using MemoryStream ms = new();
             await args.File.OpenReadStream().CopyToAsync(ms);
             UploadedData = ms.ToArray();
diff --git a/roles/ui/files/FWO.UI/Shared/FileUpload.razor b/roles/ui/files/FWO.UI/Shared/FileUpload.razor
@@ -49,7 +49,7 @@
                     <label class="btn btn-sm @(UploadDisabled ? "btn-primary" : "btn-success")" for="fileUpload">
                         @(ModellingHandlerBase.DisplayButton(userConfig, "select_file", Icons.Add, "select_file"))
                     </label>
-                    <InputFile id="fileUpload" hidden accept="@SupportedFileFormats" OnChange="@SingleUpload" />
+                    <InputFile id="fileUpload" hidden accept="@SupportedFileFormats" OnChange="@(async () => await UploadCustomLogo())" />
                     @if(InputFileChangeEventArgs is not null && !string.IsNullOrEmpty(InputFileChangeEventArgs.File.Name))
                     {
                         <label class="d-inline">@InputFileChangeEventArgs.File.Name</label>
@@ -139,7 +139,7 @@
             return;
 
         Loading = true;
-        FileUploadService fileUploadService = new(apiConnection, userConfig);
+        FileUploadService fileUploadService = new(apiConnection, userConfig, SupportedFileFormats);
 
         try
         {
@@ -169,15 +169,15 @@
 
     private async Task UploadCustomLogo()
     {
-        if(UploadDisabled || InputFileChangeEventArgs is null)
+        if(InputFileChangeEventArgs is null)
             return;
 
         if(InputFileChangeEventArgs.File is null)
             return;
 
         Loading = true;
 
-        FileUploadService fileUploadService = new(apiConnection, userConfig);
+        FileUploadService fileUploadService = new(apiConnection, userConfig, SupportedFileFormats);
 
         try
         {
