File upload vulnerability fixes

Author: Swapnamol

LearningHub.Nhs.WebUI/Controllers/Api/ResourceController.cs

@@ -258,6 +258,33 @@ public async Task<ActionResult> RecordExternalReferenceUserAgreementAsync([FromB
             }
         }
 
+        /// <summary>
+        /// The RecordExternalReferenceUserAgreementAsync.
+        /// </summary>
+        /// <param name="model">model.</param>
+        /// <returns>A <see cref="Task{TResult}"/> representing the result of the asynchronous operation.</returns>
+        [HttpPost]
+        [Route(" CreateResourceVersionValidationResult")]
+        public async Task<ActionResult> CreateResourceVersionValidationResultAsync([FromBody] ResourceVersionValidationResultViewModel model)
+        {
+            await this.resourceService.CreateResourceVersionValidationResultAsync(model);
+            return this.Ok();
+        }
+
+        /// <summary>
+        /// The RecordExternalReferenceUserAgreementAsync.
+        /// </summary>
+        /// <param name="filename">model.</param>
+        /// <returns>A <see cref="Task{TResult}"/> representing the result of the asynchronous operation.</returns>
+        [HttpPost]
+        [Route(" CreateResourceVersionValidationResults")]
+        public async Task<ActionResult> CreateResourceVersionValidationResultAsync([FromBody] string filename)
+        {
+            ResourceVersionValidationResultViewModel model = new ResourceVersionValidationResultViewModel();
+            await this.resourceService.CreateResourceVersionValidationResultAsync(model);
+            return this.Ok();
+        }
+
         /// <summary>
         /// The GetHeaderById.
         /// </summary>

LearningHub.Nhs.WebUI/Interfaces/IResourceService.cs

@@ -269,6 +269,13 @@ public interface IResourceService
         /// <returns>The <see cref="Task{LearningHubValidationResult}"/>.</returns>
         Task<LearningHubValidationResult> CreateResourceVersionProviderAsync(ResourceVersionProviderViewModel model);
 
+        /// <summary>
+        /// Creates resource version validation results corresponding to the value in the corresponding input view model.
+        /// </summary>
+        /// <param name="validationResultViewModel">Details of the validation results.</param>
+        /// <returns>A <see cref="Task"/> representing the result of the asynchronous operation.</returns>
+        Task CreateResourceVersionValidationResultAsync(ResourceVersionValidationResultViewModel validationResultViewModel);
+
         /// <summary>
         /// Delete resource version provider.
         /// </summary>

LearningHub.Nhs.WebUI/Scripts/vuesrc/helpers/fileUpload.ts

@@ -49,7 +49,7 @@ const MAX_FILE_SIZE = 10 * 1000 * 1000 * 1000; // 10GB
 
 // This list should correspond to the disallowed extensions contained in the FileType table
 const BLOCKED_FILE_EXTENSIONS = ['.app', '.asp', '.aspx', '.dll', '.dmg', '.exe', '.flv', '.f4v', '.js', '.jsp',
-    '.php', '.shtm', '.shtml', '.swf','.webm'];
+    '.php', '.shtm', '.shtml', '.swf', '.webm', '.bat', '.cmd', '.vbs', '.msi', '.pif', '.sh', '.tar', '.gz', '.7z', '.rar', '.sys', '.bak', '.iso', '.torrent'];
 
 const IMAGE_FILE_EXTENSIONS = ['.apng', '.avif', '.bmp', '.cur', '.gif', '.ico', '.jfif', '.jpeg', '.jpg', '.pjp',
     '.pjpeg', '.png', '.psd', '.svg', '.tif', '.tiff', '.webp'];

LearningHub.Nhs.WebUI/Services/ContributeService.cs

@@ -17,6 +17,8 @@
     using LearningHub.Nhs.WebUI.Models.Contribute;
     using Microsoft.AspNetCore.Http;
     using Microsoft.Extensions.Logging;
+    using Microsoft.VisualBasic;
+    using MK.IO.Models;
     using Newtonsoft.Json;
 
     /// <summary>
@@ -38,7 +40,7 @@ public class ContributeService : BaseService<ContributeService>, IContributeServ
         /// <param name="mediaService">MKIO media service.</param>
         /// <param name="learningHubHttpClient">Learning hub http client.</param>
         /// <param name="logger">Logger.</param>
-        public ContributeService(IFileService fileService, IResourceService resourceService, IAzureMediaService azureMediaService,  ILearningHubHttpClient learningHubHttpClient, ILogger<ContributeService> logger, IAzureMediaService mediaService)
+        public ContributeService(IFileService fileService, IResourceService resourceService, IAzureMediaService azureMediaService, ILearningHubHttpClient learningHubHttpClient, ILogger<ContributeService> logger, IAzureMediaService mediaService)
         : base(learningHubHttpClient, logger)
         {
             this.fileService = fileService;
@@ -502,6 +504,31 @@ public async Task<FileUploadResult> ProcessResourceFileAsync(int resourceVersion
 
             if ((fileType == null) || (fileType != null && fileType.NotAllowed) || file.Length <= 0)
             {
+                // Define dangerous file extensions
+                string[] dangerousExtensions = { ".exe", ".dll", ".bat", ".js", ".vbs", ".sh", ".ps1" };
+                if (dangerousExtensions.Any(ext => file.FileName.EndsWith(ext, StringComparison.OrdinalIgnoreCase)))
+                {
+                    var error = $"A potentially harmful file has been detected and blocked: {file.FileName}.";
+                    var validationDetail = new ResourceVersionValidationResultViewModel
+                    {
+                        ResourceVersionId = resourceVersionId,
+                        Success = false,
+                        Details = string.Empty,
+                        AmendUserId = currentUserId,
+                        ResourceVersionValidationRuleResultViewModels = new[]
+                       {
+                        new ResourceVersionValidationRuleResultViewModel
+                        {
+                            ResourceTypeValidationRuleEnum = ResourceTypeValidationRuleEnum.HtmlResource_RootIndexPresent,
+                            Success = false,
+                            Details = error,
+                        },
+                       }.ToList(),
+                    };
+
+                    await this.resourceService.CreateResourceVersionValidationResultAsync(validationDetail);
+                }
+
                 return new FileUploadResult()
                 {
                     FileName = file.FileName,

LearningHub.Nhs.WebUI/Services/ResourceService.cs

@@ -1195,6 +1195,38 @@ public async Task<LearningHubValidationResult> CreateResourceVersionProviderAsyn
             return apiResponse.ValidationResult;
         }
 
+        /// <summary>
+        /// Creates resource version validation results corresponding to the value in the corresponding input view model.
+        /// </summary>
+        /// <param name="validationResultViewModel">Details of the validation results.</param>
+        /// <returns>A <see cref="Task"/> representing the result of the asynchronous operation.</returns>
+        public async Task CreateResourceVersionValidationResultAsync(ResourceVersionValidationResultViewModel validationResultViewModel)
+        {
+            ApiResponse apiResponse = null;
+            var json = JsonConvert.SerializeObject(validationResultViewModel);
+            var stringContent = new StringContent(json, UnicodeEncoding.UTF8, "application/json");
+
+            var client = await this.LearningHubHttpClient.GetClientAsync();
+
+            var request = $"Resource/CreateResourceVersionValidationResult";
+            var response = await client.PostAsync(request, stringContent).ConfigureAwait(false);
+
+            if (response.IsSuccessStatusCode)
+            {
+                var result = response.Content.ReadAsStringAsync().Result;
+                apiResponse = JsonConvert.DeserializeObject<ApiResponse>(result);
+
+                if (!apiResponse.Success)
+                {
+                    throw new Exception("save failed!");
+                }
+            }
+            else if (response.StatusCode == System.Net.HttpStatusCode.Unauthorized || response.StatusCode == System.Net.HttpStatusCode.Forbidden)
+            {
+                throw new Exception("AccessDenied");
+            }
+        }
+
         /// <summary>
         /// The delete resource version provider.
         /// </summary>

WebAPI/LearningHub.Nhs.Database/LearningHub.Nhs.Database.sqlproj

@@ -536,6 +536,7 @@
     <None Include="Scripts\Post-Deploy\Scripts\UpdateFileTypes.sql" />
     <None Include="Scripts\Post-Deploy\Scripts\AddDigitalLearningSolutionsExternalSystem.sql" />
     <Build Include="Stored Procedures\Activity\GetAssessmentActivityCompletionPercentage.sql" />
+    <None Include="Scripts\LH Database Scripts\CreateResourceTypeValidationRule.sql" />
   </ItemGroup>
   <ItemGroup>
     <None Include="Scripts\Pre-Deploy\Scripts\Card5766_AuthorTableChanges.PreDeployment.sql" />

WebAPI/LearningHub.Nhs.Database/Scripts/LH Database Scripts/CreateResourceTypeValidationRule.sql

@@ -0,0 +1,44 @@
+IF NOT EXISTS(SELECT 'X' FROM [resources].[ResourceTypeValidationRule] WHERE Id = 7)
+BEGIN
+	INSERT INTO [resources].[ResourceTypeValidationRule]
+           ([Id]
+           ,[ResourceTypeId]
+           ,[Description]
+           ,[Deleted]
+           ,[CreateUserId]
+           ,[CreateDate]
+           ,[AmendUserId]
+           ,[AmendDate])
+     VALUES
+           (7
+           ,9
+           ,'GenericFile_ValidZipFile'
+           ,0
+           ,4
+           ,SYSDATETIMEOFFSET()
+           ,4
+           ,SYSDATETIMEOFFSET())
+END
+GO
+IF NOT EXISTS(SELECT 'X' FROM [resources].[ResourceTypeValidationRule] WHERE Id = 8)
+BEGIN
+	INSERT INTO [resources].[ResourceTypeValidationRule]
+           ([Id]
+           ,[ResourceTypeId]
+           ,[Description]
+           ,[Deleted]
+           ,[CreateUserId]
+           ,[CreateDate]
+           ,[AmendUserId]
+           ,[AmendDate])
+     VALUES
+           (8
+           ,9
+           ,'GenericFile_ValidFileTypes'
+           ,0
+           ,4
+           ,SYSDATETIMEOFFSET()
+           ,4
+           ,SYSDATETIMEOFFSET())
+END
+GO

WebAPI/LearningHub.Nhs.Database/Scripts/Post-Deploy/Script.PostDeployment.sql

@@ -86,4 +86,5 @@ UPDATE [resources].[ResourceVersion] SET CertificateEnabled = 0 WHERE VersionSta
 :r .\Scripts\AttributeData.sql 
 :r .\Scripts\PPSXFileType.sql
 :r .\Scripts\UpdateFileTypes.sql
+:r .\Scripts\CreateResourceTypeValidationRule.sql