Added safe mime sniffing to prevent serving HTML

(Amoung other content types)
For #3027

diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php
index 283a01cfb6a8852f23c0d73c9ef975189572492c..3bccdcda47bc155eab429242c3cc26a2fd728a1f 100644 (file)
--- a/app/Http/Controllers/Controller.php
+++ b/app/Http/Controllers/Controller.php
@@ -5,6 +5,7 @@ namespace BookStack\Http\Controllers;
 use BookStack\Facades\Activity;
 use BookStack\Interfaces\Loggable;
 use BookStack\Model;
 use BookStack\Facades\Activity;
 use BookStack\Interfaces\Loggable;
 use BookStack\Model;

+use BookStack\Util\WebSafeMimeSniffer;

 use finfo;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Foundation\Validation\ValidatesRequests;
 use finfo;
 use Illuminate\Foundation\Bus\DispatchesJobs;
 use Illuminate\Foundation\Validation\ValidatesRequests;


@@ -117,8 +118,9 @@ abstract class Controller extends BaseController
     protected function downloadResponse(string $content, string $fileName): Response
     {
         return response()->make($content, 200, [
     protected function downloadResponse(string $content, string $fileName): Response
     {
         return response()->make($content, 200, [

-            'Content-Type'        => 'application/octet-stream',
-            'Content-Disposition' => 'attachment; filename="' . $fileName . '"',
+            'Content-Type'           => 'application/octet-stream',
+            'Content-Disposition'    => 'attachment; filename="' . $fileName . '"',
+            'X-Content-Type-Options' => 'nosniff',

         ]);
     }
 
         ]);
     }
 


@@ -128,12 +130,13 @@ abstract class Controller extends BaseController
      */
     protected function inlineDownloadResponse(string $content, string $fileName): Response
     {
      */
     protected function inlineDownloadResponse(string $content, string $fileName): Response
     {

-        $finfo = new finfo(FILEINFO_MIME_TYPE);
-        $mime = $finfo->buffer($content) ?: 'application/octet-stream';
+
+        $mime = (new WebSafeMimeSniffer)->sniff($content);

 
         return response()->make($content, 200, [
 
         return response()->make($content, 200, [

-            'Content-Type'        => $mime,
-            'Content-Disposition' => 'inline; filename="' . $fileName . '"',
+            'Content-Type'           => $mime,
+            'Content-Disposition'    => 'inline; filename="' . $fileName . '"',
+            'X-Content-Type-Options' => 'nosniff',

         ]);
     }
 
         ]);
     }
 

diff --git a/app/Util/WebSafeMimeSniffer.php b/app/Util/WebSafeMimeSniffer.php
new file mode 100644 (file)
index 0000000..a896bd9
--- /dev/null
+++ b/app/Util/WebSafeMimeSniffer.php
@@ -0,0 +1,65 @@
+<?php
+
+namespace BookStack\Util;
+
+use finfo;
+
+/**
+ * Helper class to sniff out the mime-type of content resulting in
+ * a mime-type that's relatively safe to serve to a browser.
+ */
+class WebSafeMimeSniffer
+{
+
+    /**
+     * @var string[]
+     */
+    protected $safeMimes = [
+        'application/json',
+        'application/octet-stream',
+        'application/pdf',
+        'image/bmp',
+        'image/jpeg',
+        'image/png',
+        'image/gif',
+        'image/webp',
+        'image/avif',
+        'image/heic',
+        'text/css',
+        'text/csv',
+        'text/javascript',
+        'text/json',
+        'text/plain',
+        'video/x-msvideo',
+        'video/mp4',
+        'video/mpeg',
+        'video/ogg',
+        'video/webm',
+        'video/vp9',
+        'video/h264',
+        'video/av1',
+    ];
+
+    /**
+     * Sniff the mime-type from the given file content while running the result
+     * through an allow-list to ensure a web-safe result.
+     * Takes the content as a reference since the value may be quite large.
+     */
+    public function sniff(string &$content): string
+    {
+        $fInfo = new finfo(FILEINFO_MIME_TYPE);
+        $mime = $fInfo->buffer($content) ?: 'application/octet-stream';
+
+        if (in_array($mime, $this->safeMimes)) {
+            return $mime;
+        }
+
+        [$category] = explode('/', $mime, 2);
+        if ($category === 'text') {
+            return 'text/plain';
+        }
+
+        return 'application/octet-stream';
+    }
+
+}
\ No newline at end of file

diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php
index 60fd370b676d0d592be5bfad9610ff04c0e55dcf..26f092bcc3b5c0039f823ff0d43c4457e0c8de3d 100644 (file)
--- a/tests/Uploads/AttachmentTest.php
+++ b/tests/Uploads/AttachmentTest.php
@@ -9,6 +9,7 @@ use BookStack\Uploads\Attachment;
 use BookStack\Uploads\AttachmentService;
 use Illuminate\Http\UploadedFile;
 use Tests\TestCase;
 use BookStack\Uploads\AttachmentService;
 use Illuminate\Http\UploadedFile;
 use Tests\TestCase;

+use Tests\TestResponse;

 
 class AttachmentTest extends TestCase
 {
 
 class AttachmentTest extends TestCase
 {


@@ -44,6 +45,20 @@ class AttachmentTest extends TestCase
         return Attachment::query()->latest()->first();
     }
 
         return Attachment::query()->latest()->first();
     }
 

+    /**
+     * Create a new upload attachment from the given data.
+     */
+    protected function createUploadAttachment(Page $page, string $filename, string $content, string $mimeType): Attachment
+    {
+        $file = tmpfile();
+        $filePath = stream_get_meta_data($file)['uri'];
+        file_put_contents($filePath, $content);
+        $upload = new UploadedFile($filePath, $filename, $mimeType, null, true);
+
+        $this->call('POST', '/attachments/upload', ['uploaded_to' => $page->id], [], ['file' => $upload], []);
+        return $page->attachments()->latest()->firstOrFail();
+    }
+

     /**
      * Delete all uploaded files.
      * To assist with cleanup.
     /**
      * Delete all uploaded files.
      * To assist with cleanup.


@@ -305,7 +320,24 @@ class AttachmentTest extends TestCase
         // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
         $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
         $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');
         // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
         $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
         $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="upload_test_file.txt"');

+        $attachmentGet->assertHeader('X-Content-Type-Options', 'nosniff');

 
         $this->deleteUploads();
     }
 
         $this->deleteUploads();
     }

+
+    public function test_html_file_access_with_open_forces_plain_content_type()
+    {
+        $page = Page::query()->first();
+        $this->asAdmin();
+
+        $attachment = $this->createUploadAttachment($page, 'test_file.html', '<html></html><p>testing</p>', 'text/html');
+
+        $attachmentGet = $this->get($attachment->getUrl(true));
+        // http-foundation/Response does some 'fixing' of responses to add charsets to text responses.
+        $attachmentGet->assertHeader('Content-Type', 'text/plain; charset=UTF-8');
+        $attachmentGet->assertHeader('Content-Disposition', 'inline; filename="test_file.html"');
+
+        $this->deleteUploads();
+    }
+

 }
 }