HOR-4435

2018-10-02 10:26:02 -04:00
parent d263c5a7ca
commit ca3d718578
6 changed files with 106 additions and 5 deletions
--- a/workflow/engine/content/translations/english/processmaker.en.po
+++ b/workflow/engine/content/translations/english/processmaker.en.po
@@ -24845,6 +24845,12 @@ msgstr "Error: The application {0} is not canceled."
 msgid "The default configuration was not defined"
 msgstr "The default configuration was not defined"

+# TRANSLATION
+# LABEL/ID_THE_MIMETYPE_EXTENSION_ERROR
+#: LABEL/ID_THE_MIMETYPE_EXTENSION_ERROR
+msgid "The mime type does not correspond to the permitted extension, please verify your file."
+msgstr "The mime type does not correspond to the permitted extension, please verify your file."
+
 # TRANSLATION
 # LABEL/ID_THE_NAME_CHANGE_MAY_CAUSE_DATA_LOSS
 #: LABEL/ID_THE_NAME_CHANGE_MAY_CAUSE_DATA_LOSS
--- a/workflow/engine/data/mysql/insert.sql
+++ b/workflow/engine/data/mysql/insert.sql
@@ -61034,6 +61034,7 @@ INSERT INTO TRANSLATION (TRN_CATEGORY,TRN_ID,TRN_LANG,TRN_VALUE,TRN_UPDATE_DATE
 ( 'LABEL','ID_THERE_PROBLEM_SENDING_EMAIL','en','There was a problem sending the email to','2016-04-08') ,
 ( 'LABEL','ID_THE_APPLICATION_IS_NOT_CANCELED','en','Error: The application {0} is not canceled.','2016-06-15') ,
 ( 'LABEL','ID_THE_DEFAULT_CONFIGURATION','en','The default configuration was not defined','2016-11-16') ,
+( 'LABEL','ID_THE_MIMETYPE_EXTENSION_ERROR','en','The mime type does not correspond to the permitted extension, please verify your file.','2018-10-2') ,
 ( 'LABEL','ID_THE_NAME_CHANGE_MAY_CAUSE_DATA_LOSS','en','The change might cause data loss in the PM table. Do you want to continue?','2017-03-30') ,
 ( 'LABEL','ID_THE_PHP_FILES_EXECUTION_WAS_DISABLED','en','The PHP files execution was disabled please contact the system administrator.','2018-04-20') ,
 ( 'LABEL','ID_THE_REASON_REASSIGN_USER_EMPTY','en','Please complete the reassign reason.','2016-10-20') ,
--- a/workflow/engine/src/ProcessMaker/Core/System.php
+++ b/workflow/engine/src/ProcessMaker/Core/System.php
@@ -68,7 +68,8 @@ class System
        'google_map_api_key' => '',
        'google_map_signature' => '',
        'logging_level' => 'INFO', 
-        'upload_attempts_limit_per_user' => '60,1'
+        'upload_attempts_limit_per_user' => '60,1',
+        'files_white_list' => ''
    );

    /**
--- a/workflow/engine/src/ProcessMaker/Validation/ValidationUploadedFiles.php
+++ b/workflow/engine/src/ProcessMaker/Validation/ValidationUploadedFiles.php
@@ -8,7 +8,7 @@ use Illuminate\Filesystem\Filesystem;
 use Illuminate\Support\Facades\Cache;
 use ProcessMaker\Core\System;
 use ProcessMaker\Services\OAuth2\Server;
-use ProcessMaker\Validation\Validator;
+use Symfony\Component\HttpFoundation\File\File;

 class ValidationUploadedFiles
 {
@@ -102,6 +102,66 @@ class ValidationUploadedFiles
                    Bootstrap::registerMonologPhpUploadExecution('phpUpload', 250, $rule->getMessage(), $rule->getData()->filename);
                });

+        //rule: mimeType
+        $validator->addRule()
+                ->validate($file, function($file) {
+                    $path = isset($file->path) ? $file->path : "";
+                    $filesystem = new Filesystem();
+                    if (!$filesystem->exists($path)) {
+                        return false;
+                    }
+
+                    $extension = $filesystem->extension($file->filename);
+                    $mimeType = $filesystem->mimeType($path);
+
+                    $file = new File($path);
+                    $guessExtension = $file->guessExtension();
+                    $mimeTypeFile = $file->getMimeType();
+
+                    //mimeType known
+                    if ($extension === $guessExtension && $mimeType === $mimeTypeFile) {
+                        return false;
+                    }
+                    //mimeType custom
+                    $customMimeTypes = config("customMimeTypes");
+                    $customMimeType = isset($customMimeTypes[$extension]) ? $customMimeTypes[$extension] : null;
+                    if (is_string($customMimeType)) {
+                        if ($customMimeType === $mimeType) {
+                            return false;
+                        }
+                    }
+                    if (is_array($customMimeType)) {
+                        foreach ($customMimeType as $value) {
+                            if ($value === $mimeType) {
+                                return false;
+                            }
+                        }
+                    }
+                    //files_white_list
+                    $systemConfiguration = System::getSystemConfiguration('', '', config("system.workspace"));
+                    $filesWhiteList = explode(',', $systemConfiguration['files_white_list']);
+                    if (in_array($extension, $filesWhiteList)) {
+                        return false;
+                    }
+                    return true;
+                })
+                ->status(415)
+                ->message(G::LoadTranslation('ID_THE_MIMETYPE_EXTENSION_ERROR'))
+                ->log(function($rule) {
+                    /**
+                     * Levels supported by MonologProvider is:
+                     * 100 "DEBUG"
+                     * 200 "INFO"
+                     * 250 "NOTICE"
+                     * 300 "WARNING"
+                     * 400 "ERROR"
+                     * 500 "CRITICAL"
+                     * 550 "ALERT"
+                     * 600 "EMERGENCY"
+                     */
+                    Bootstrap::registerMonologPhpUploadExecution('phpUpload', 250, $rule->getMessage(), $rule->getData()->filename);
+                });
+
        return $validator->validate();
    }