attachments.js 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328
  1. import { ReactiveCache } from '/imports/reactiveCache';
  2. import { Meteor } from 'meteor/meteor';
  3. import { FilesCollection } from 'meteor/ostrio:files';
  4. import { isFileValid } from './fileValidation';
  5. import { createBucket } from './lib/grid/createBucket';
  6. import fs from 'fs';
  7. import path from 'path';
  8. import { AttachmentStoreStrategyFilesystem, AttachmentStoreStrategyGridFs } from '/models/lib/attachmentStoreStrategy';
  9. // DISABLED: S3 storage strategy removed due to Node.js compatibility
  10. // import { AttachmentStoreStrategyS3 } from '/models/lib/attachmentStoreStrategy';
  11. import FileStoreStrategyFactory, {moveToStorage, rename, STORAGE_NAME_FILESYSTEM, STORAGE_NAME_GRIDFS} from '/models/lib/fileStoreStrategy';
  12. // DISABLED: S3 storage removed due to Node.js compatibility
  13. // import { STORAGE_NAME_S3 } from '/models/lib/fileStoreStrategy';
  14. import { getAttachmentWithBackwardCompatibility, getAttachmentsWithBackwardCompatibility } from './lib/attachmentBackwardCompatibility';
  15. import AttachmentStorageSettings from './attachmentStorageSettings';
  16. let attachmentUploadExternalProgram;
  17. let attachmentUploadMimeTypes = [];
  18. let attachmentUploadSize = 0;
  19. let attachmentBucket;
  20. let storagePath;
  21. if (Meteor.isServer) {
  22. attachmentBucket = createBucket('attachments');
  23. if (process.env.ATTACHMENTS_UPLOAD_MIME_TYPES) {
  24. attachmentUploadMimeTypes = process.env.ATTACHMENTS_UPLOAD_MIME_TYPES.split(',');
  25. attachmentUploadMimeTypes = attachmentUploadMimeTypes.map(value => value.trim());
  26. }
  27. if (process.env.ATTACHMENTS_UPLOAD_MAX_SIZE) {
  28. attachmentUploadSize = parseInt(process.env.ATTACHMENTS_UPLOAD_MAX_SIZE);
  29. if (isNaN(attachmentUploadSize)) {
  30. attachmentUploadSize = 0
  31. }
  32. }
  33. if (process.env.ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM) {
  34. attachmentUploadExternalProgram = process.env.ATTACHMENTS_UPLOAD_EXTERNAL_PROGRAM;
  35. if (!attachmentUploadExternalProgram.includes("{file}")) {
  36. attachmentUploadExternalProgram = undefined;
  37. }
  38. }
  39. storagePath = path.join(process.env.WRITABLE_PATH || process.cwd(), 'attachments');
  40. }
  41. export const fileStoreStrategyFactory = new FileStoreStrategyFactory(AttachmentStoreStrategyFilesystem, storagePath, AttachmentStoreStrategyGridFs, attachmentBucket);
  42. // XXX Enforce a schema for the Attachments FilesCollection
  43. // see: https://github.com/VeliovGroup/Meteor-Files/wiki/Schema
  44. Attachments = new FilesCollection({
  45. debug: false, // Change to `true` for debugging
  46. collectionName: 'attachments',
  47. allowClientCode: true,
  48. namingFunction(opts) {
  49. let filenameWithoutExtension = ""
  50. let fileId = "";
  51. if (opts?.name) {
  52. // Client
  53. filenameWithoutExtension = opts.name.replace(/(.+)\..+/, "$1");
  54. fileId = opts.meta.fileId;
  55. delete opts.meta.fileId;
  56. } else if (opts?.file?.name) {
  57. // Server
  58. if (opts.file.extension) {
  59. filenameWithoutExtension = opts.file.name.replace(new RegExp(opts.file.extensionWithDot + "$"), "")
  60. } else {
  61. // file has no extension, so don't replace anything, otherwise the last character is removed (because extensionWithDot = '.')
  62. filenameWithoutExtension = opts.file.name;
  63. }
  64. fileId = opts.fileId;
  65. }
  66. else {
  67. // should never reach here
  68. filenameWithoutExtension = Math.random().toString(36).slice(2);
  69. fileId = Math.random().toString(36).slice(2);
  70. }
  71. // OLD:
  72. //const ret = fileId + "-original-" + filenameWithoutExtension;
  73. // NEW: Save file only with filename of ObjectID, not including filename.
  74. // Fixes https://github.com/wekan/wekan/issues/4416#issuecomment-1510517168
  75. const ret = fileId;
  76. // remove fileId from meta, it was only stored there to have this information here in the namingFunction function
  77. return ret;
  78. },
  79. sanitize(str, max, replacement) {
  80. // keep the original filename
  81. return str;
  82. },
  83. storagePath() {
  84. const ret = fileStoreStrategyFactory.storagePath;
  85. return ret;
  86. },
  87. onBeforeUpload(file) {
  88. // Block SVG files for attachments to prevent XSS attacks
  89. if (file.name && file.name.toLowerCase().endsWith('.svg')) {
  90. if (process.env.DEBUG === 'true') {
  91. console.warn('Blocked SVG file upload for attachment:', file.name);
  92. }
  93. return 'SVG files are not allowed for attachments due to security reasons. Please use PNG, JPG, GIF, or other safe formats.';
  94. }
  95. if (file.type === 'image/svg+xml') {
  96. if (process.env.DEBUG === 'true') {
  97. console.warn('Blocked SVG MIME type upload for attachment:', file.type);
  98. }
  99. return 'SVG files are not allowed for attachments due to security reasons. Please use PNG, JPG, GIF, or other safe formats.';
  100. }
  101. return true;
  102. },
  103. onAfterUpload(fileObj) {
  104. // Get default storage backend from settings
  105. let defaultStorage = STORAGE_NAME_FILESYSTEM;
  106. try {
  107. const settings = AttachmentStorageSettings.findOne({});
  108. if (settings) {
  109. defaultStorage = settings.getDefaultStorage();
  110. }
  111. } catch (error) {
  112. console.warn('Could not get attachment storage settings, using default:', error);
  113. }
  114. // Set initial storage to filesystem (temporary)
  115. Object.keys(fileObj.versions).forEach(versionName => {
  116. fileObj.versions[versionName].storage = STORAGE_NAME_FILESYSTEM;
  117. });
  118. this._now = new Date();
  119. Attachments.update({ _id: fileObj._id }, { $set: { "versions" : fileObj.versions } });
  120. Attachments.update({ _id: fileObj.uploadedAtOstrio }, { $set: { "uploadedAtOstrio" : this._now } });
  121. // Use selected storage backend or copy storage if specified
  122. let storageDestination = fileObj.meta.copyStorage || defaultStorage;
  123. // Only migrate if the destination is different from filesystem
  124. if (storageDestination !== STORAGE_NAME_FILESYSTEM) {
  125. Meteor.defer(() => Meteor.call('validateAttachmentAndMoveToStorage', fileObj._id, storageDestination));
  126. }
  127. },
  128. interceptDownload(http, fileObj, versionName) {
  129. const ret = fileStoreStrategyFactory.getFileStrategy(fileObj, versionName).interceptDownload(http, this.cacheControl);
  130. return ret;
  131. },
  132. onAfterRemove(files) {
  133. files.forEach(fileObj => {
  134. Object.keys(fileObj.versions).forEach(versionName => {
  135. fileStoreStrategyFactory.getFileStrategy(fileObj, versionName).onAfterRemove();
  136. });
  137. });
  138. },
  139. // We authorize the attachment download either:
  140. // - if the board is public, everyone (even unconnected) can download it
  141. // - if the board is private, only board members can download it
  142. protected(fileObj) {
  143. // file may have been deleted already again after upload validation failed
  144. if (!fileObj) {
  145. return false;
  146. }
  147. const board = ReactiveCache.getBoard(fileObj.meta.boardId);
  148. if (board.isPublic()) {
  149. return true;
  150. }
  151. return board.hasMember(this.userId);
  152. },
  153. });
  154. if (Meteor.isServer) {
  155. Attachments.allow({
  156. insert(userId, fileObj) {
  157. return allowIsBoardMember(userId, ReactiveCache.getBoard(fileObj.boardId));
  158. },
  159. update(userId, fileObj, fields) {
  160. // Only allow updates to specific fields that don't affect security
  161. const allowedFields = ['name', 'size', 'type', 'extension', 'extensionWithDot', 'meta', 'versions'];
  162. const isAllowedField = fields.every(field => allowedFields.includes(field));
  163. if (!isAllowedField) {
  164. if (process.env.DEBUG === 'true') {
  165. console.warn('Blocked attempt to update restricted attachment fields:', fields);
  166. }
  167. return false;
  168. }
  169. return allowIsBoardMember(userId, ReactiveCache.getBoard(fileObj.boardId));
  170. },
  171. remove(userId, fileObj) {
  172. // Additional security check: ensure the file belongs to the board the user has access to
  173. if (!fileObj || !fileObj.boardId) {
  174. if (process.env.DEBUG === 'true') {
  175. console.warn('Blocked attachment removal: file has no boardId');
  176. }
  177. return false;
  178. }
  179. const board = ReactiveCache.getBoard(fileObj.boardId);
  180. if (!board) {
  181. if (process.env.DEBUG === 'true') {
  182. console.warn('Blocked attachment removal: board not found');
  183. }
  184. return false;
  185. }
  186. return allowIsBoardMember(userId, board);
  187. },
  188. fetch: ['meta', 'boardId'],
  189. });
  190. Meteor.methods({
  191. // Validate image URL to prevent SVG-based DoS attacks
  192. validateImageUrl(imageUrl) {
  193. check(imageUrl, String);
  194. if (!imageUrl) {
  195. return { valid: false, reason: 'Empty URL' };
  196. }
  197. // Block SVG files and data URIs
  198. if (imageUrl.endsWith('.svg') || imageUrl.startsWith('data:image/svg')) {
  199. if (process.env.DEBUG === 'true') {
  200. console.warn('Blocked potentially malicious SVG image URL:', imageUrl);
  201. }
  202. return { valid: false, reason: 'SVG images are blocked for security reasons' };
  203. }
  204. // Block data URIs that could contain malicious content
  205. if (imageUrl.startsWith('data:')) {
  206. if (process.env.DEBUG === 'true') {
  207. console.warn('Blocked data URI image URL:', imageUrl);
  208. }
  209. return { valid: false, reason: 'Data URIs are blocked for security reasons' };
  210. }
  211. // Validate URL format
  212. try {
  213. const url = new URL(imageUrl);
  214. // Only allow http and https protocols
  215. if (!['http:', 'https:'].includes(url.protocol)) {
  216. return { valid: false, reason: 'Only HTTP and HTTPS protocols are allowed' };
  217. }
  218. } catch (e) {
  219. return { valid: false, reason: 'Invalid URL format' };
  220. }
  221. return { valid: true };
  222. },
  223. moveAttachmentToStorage(fileObjId, storageDestination) {
  224. check(fileObjId, String);
  225. check(storageDestination, String);
  226. const fileObj = ReactiveCache.getAttachment(fileObjId);
  227. moveToStorage(fileObj, storageDestination, fileStoreStrategyFactory);
  228. },
  229. renameAttachment(fileObjId, newName) {
  230. check(fileObjId, String);
  231. check(newName, String);
  232. const currentUserId = Meteor.userId();
  233. if (!currentUserId) {
  234. throw new Meteor.Error('not-authorized', 'User must be logged in');
  235. }
  236. const fileObj = ReactiveCache.getAttachment(fileObjId);
  237. if (!fileObj) {
  238. throw new Meteor.Error('file-not-found', 'Attachment not found');
  239. }
  240. // Verify the user has permission to modify this attachment
  241. const board = ReactiveCache.getBoard(fileObj.boardId);
  242. if (!board) {
  243. throw new Meteor.Error('board-not-found', 'Board not found');
  244. }
  245. if (!allowIsBoardMember(currentUserId, board)) {
  246. if (process.env.DEBUG === 'true') {
  247. console.warn(`Blocked unauthorized attachment rename attempt: user ${currentUserId} tried to rename attachment ${fileObjId} in board ${fileObj.boardId}`);
  248. }
  249. throw new Meteor.Error('not-authorized', 'You do not have permission to modify this attachment');
  250. }
  251. rename(fileObj, newName, fileStoreStrategyFactory);
  252. },
  253. validateAttachment(fileObjId) {
  254. check(fileObjId, String);
  255. const fileObj = ReactiveCache.getAttachment(fileObjId);
  256. const isValid = Promise.await(isFileValid(fileObj, attachmentUploadMimeTypes, attachmentUploadSize, attachmentUploadExternalProgram));
  257. if (!isValid) {
  258. Attachments.remove(fileObjId);
  259. }
  260. },
  261. validateAttachmentAndMoveToStorage(fileObjId, storageDestination) {
  262. check(fileObjId, String);
  263. check(storageDestination, String);
  264. Meteor.call('validateAttachment', fileObjId);
  265. const fileObj = ReactiveCache.getAttachment(fileObjId);
  266. if (fileObj) {
  267. Meteor.defer(() => Meteor.call('moveAttachmentToStorage', fileObjId, storageDestination));
  268. }
  269. },
  270. });
  271. Meteor.startup(() => {
  272. Attachments.collection.createIndex({ 'meta.cardId': 1 });
  273. const storagePath = fileStoreStrategyFactory.storagePath;
  274. if (!fs.existsSync(storagePath)) {
  275. console.log("create storagePath because it doesn't exist: " + storagePath);
  276. fs.mkdirSync(storagePath, { recursive: true });
  277. }
  278. });
  279. }
  280. // Add backward compatibility methods - available on both client and server
  281. Attachments.getAttachmentWithBackwardCompatibility = getAttachmentWithBackwardCompatibility;
  282. Attachments.getAttachmentsWithBackwardCompatibility = getAttachmentsWithBackwardCompatibility;
  283. export default Attachments;