Merge pull request #2105 from AtlasOfLivingAustralia/hotfix/issue750

Fix for ala-infrastructure#750
AtlasOfLivingAustralia · Nov 12, 2020 · ee44ac4 · ee44ac4
2 parents 4911ebf + 74dd050
commit ee44ac4
Show file tree

Hide file tree

Showing 3 changed files with 67 additions and 2 deletions.
diff --git a/application.properties b/application.properties
@@ -2,5 +2,5 @@
 #Tue Jun 20 09:06:54 EST 2017
 app.grails.version=2.5.6
 app.name=fieldcapture
-app.version=1.60.1
+app.version=1.60.2-SNAPSHOT
 
diff --git a/grails-app/controllers/au/org/ala/merit/ImageController.groovy b/grails-app/controllers/au/org/ala/merit/ImageController.groovy
@@ -97,7 +97,12 @@ class ImageController {
      * The content type of the file is derived purely from the file extension.
      */
     def get() {
-        File f = new File(imageService.fullPath(params.id))
+        String filename = FilenameUtils.getName(params.id)
+        if (filename != params.id) {
+            response.status = 404
+            return
+        }
+        File f = new File(imageService.fullPath(filename))
         if (!f.exists()) {
             response.status = 404
             return

diff --git a/test/unit/au/org/ala/merit/ImageControllerSpec.groovy b/test/unit/au/org/ala/merit/ImageControllerSpec.groovy
@@ -0,0 +1,60 @@
+package au.org.ala.merit
+
+import grails.test.mixin.TestFor
+import org.apache.commons.io.IOUtils
+import org.apache.http.HttpStatus
+import spock.lang.Specification
+
+@TestFor(ImageController)
+class ImageControllerSpec extends Specification {
+
+    File uploadPath
+    File temp
+
+    void setup() {
+
+        controller.imageService = new ImageService() // to use the fullPath method without needing to mock it
+        controller.imageService.grailsApplication = controller.grailsApplication
+        temp = File.createTempDir("tmp", "")
+        uploadPath = new File(temp, "upload")
+        uploadPath.mkdir()
+
+        controller.grailsApplication.config.upload.images.path = uploadPath.getAbsolutePath()
+
+        // Setup two files, one that should be accessible, and one that should not.
+        File validFile =  new File(uploadPath, "validFile.png")
+        validFile.createNewFile()
+
+        File privateFile = new File(temp, "privateFile.png")
+        privateFile.createNewFile()
+    }
+
+    void "Files can be retrieved from the temporary upload directory by filename"() {
+        when:
+        params.id = "validFile.png"
+        controller.get()
+
+        then:
+        response.contentType == "image/png"
+        response.status == HttpStatus.SC_OK
+    }
+
+    void "If a file doesn't exist, a 404 will be returned"() {
+        when:
+        params.id = "missingFile.png"
+        controller.get()
+
+        then:
+        response.status == HttpStatus.SC_NOT_FOUND
+    }
+
+    void "A file cannot be retrieved from outside the designated uploads directory"() {
+        when:
+        params.id = "../privateFile.png"
+        controller.get()
+
+        then:
+        new File(uploadPath, params.id).exists()
+        response.status == HttpStatus.SC_NOT_FOUND
+    }
+}