Merge pull request from GHSA-mwvh-p3hx-x4gg

eZ/Publish/Core/FieldType/BinaryBase/BinaryBaseStorage.php

@@ -6,6 +6,8 @@
  */
 namespace eZ\Publish\Core\FieldType\BinaryBase;
 
+use eZ\Publish\Core\Base\Exceptions\ContentFieldValidationException;
+use eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator;
 use eZ\Publish\Core\IO\IOServiceInterface;
 use eZ\Publish\SPI\FieldType\BinaryBase\PathGenerator;
 use eZ\Publish\SPI\FieldType\BinaryBase\RouteAwarePathGenerator;
@@ -39,24 +41,21 @@ class BinaryBaseStorage extends GatewayBasedStorage
     /** @var \eZ\Publish\Core\FieldType\BinaryBase\BinaryBaseStorage\Gateway */
     protected $gateway;
 
-    /**
-     * Construct from gateways.
-     *
-     * @param \eZ\Publish\SPI\FieldType\StorageGateway $gateway
-     * @param \eZ\Publish\Core\IO\IOServiceInterface $ioService
-     * @param \eZ\Publish\SPI\FieldType\BinaryBase\PathGenerator $pathGenerator
-     * @param \eZ\Publish\SPI\IO\MimeTypeDetector $mimeTypeDetector
-     */
+    /** @var \eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator */
+    protected $fileExtensionBlackListValidator;
+
     public function __construct(
         StorageGateway $gateway,
         IOServiceInterface $ioService,
         PathGenerator $pathGenerator,
-        MimeTypeDetector $mimeTypeDetector
+        MimeTypeDetector $mimeTypeDetector,
+        FileExtensionBlackListValidator $fileExtensionBlackListValidator
     ) {
         parent::__construct($gateway);
         $this->ioService = $ioService;
         $this->pathGenerator = $pathGenerator;
         $this->mimeTypeDetector = $mimeTypeDetector;
+        $this->fileExtensionBlackListValidator = $fileExtensionBlackListValidator;
     }
 
     /**
@@ -67,6 +66,10 @@ public function setDownloadUrlGenerator(PathGenerator $downloadUrlGenerator)
         $this->downloadUrlGenerator = $downloadUrlGenerator;
     }
 
+    /**
+     * @throws \eZ\Publish\API\Repository\Exceptions\InvalidArgumentException
+     * @throws \eZ\Publish\API\Repository\Exceptions\ContentFieldValidationException
+     */
     public function storeFieldData(VersionInfo $versionInfo, Field $field, array $context)
     {
         if ($field->value->externalData === null) {
@@ -76,6 +79,17 @@ public function storeFieldData(VersionInfo $versionInfo, Field $field, array $co
         }
 
         if (isset($field->value->externalData['inputUri'])) {
+            $this->fileExtensionBlackListValidator->validateFileExtension($field->value->externalData['fileName']);
+            if (!empty($errors = $this->fileExtensionBlackListValidator->getErrors())) {
+                $preparedErrors = [];
+                $preparedErrors[$field->fieldDefinitionId][$field->languageCode] = $errors;
+
+                throw ContentFieldValidationException::createNewWithMultiline(
+                    $preparedErrors,
+                    $versionInfo->contentInfo->name
+                );
+            }
+
             $field->value->externalData['mimeType'] = $this->mimeTypeDetector->getFromPath($field->value->externalData['inputUri']);
             $createStruct = $this->ioService->newBinaryCreateStructFromLocalFile($field->value->externalData['inputUri']);
             $createStruct->id = $this->pathGenerator->getStoragePathForField($field, $versionInfo);

eZ/Publish/Core/FieldType/Image/ImageStorage.php

@@ -6,8 +6,10 @@
  */
 namespace eZ\Publish\Core\FieldType\Image;
 
+use eZ\Publish\Core\Base\Exceptions\ContentFieldValidationException;
 use eZ\Publish\Core\Base\Exceptions\InvalidArgumentException;
 use eZ\Publish\Core\Base\Utils\DeprecationWarnerInterface as DeprecationWarner;
+use eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator;
 use eZ\Publish\Core\IO\FilePathNormalizerInterface;
 use eZ\Publish\Core\IO\IOServiceInterface;
 use eZ\Publish\Core\IO\MetadataHandler;
@@ -42,14 +44,18 @@ class ImageStorage extends GatewayBasedStorage
     /** @var \eZ\Publish\Core\IO\FilePathNormalizerInterface */
     protected $filePathNormalizer;
 
+    /** @var \eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator */
+    protected $fileExtensionBlackListValidator;
+
     public function __construct(
         StorageGateway $gateway,
         IOServiceInterface $ioService,
         PathGenerator $pathGenerator,
         MetadataHandler $imageSizeMetadataHandler,
         DeprecationWarner $deprecationWarner,
         AliasCleanerInterface $aliasCleaner,
-        FilePathNormalizerInterface $filePathNormalizer
+        FilePathNormalizerInterface $filePathNormalizer,
+        FileExtensionBlackListValidator $fileExtensionBlackListValidator
     ) {
         parent::__construct($gateway);
         $this->ioService = $ioService;
@@ -58,8 +64,15 @@ public function __construct(
         $this->deprecationWarner = $deprecationWarner;
         $this->aliasCleaner = $aliasCleaner;
         $this->filePathNormalizer = $filePathNormalizer;
+        $this->fileExtensionBlackListValidator = $fileExtensionBlackListValidator;
     }
 
+    /**
+     * @throws \eZ\Publish\Core\Base\Exceptions\NotFoundException
+     * @throws \eZ\Publish\Core\Base\Exceptions\InvalidArgumentValue
+     * @throws \eZ\Publish\Core\Base\Exceptions\InvalidArgumentException
+     * @throws \eZ\Publish\Core\Base\Exceptions\ContentFieldValidationException
+     */
     public function storeFieldData(VersionInfo $versionInfo, Field $field, array $context)
     {
         $contentMetaData = [
@@ -70,6 +83,17 @@ public function storeFieldData(VersionInfo $versionInfo, Field $field, array $co
 
         // new image
         if (isset($field->value->externalData)) {
+            $this->fileExtensionBlackListValidator->validateFileExtension($field->value->externalData['fileName']);
+            if (!empty($errors = $this->fileExtensionBlackListValidator->getErrors())) {
+                $preparedErrors = [];
+                $preparedErrors[$field->fieldDefinitionId][$field->languageCode] = $errors;
+
+                throw ContentFieldValidationException::createNewWithMultiline(
+                    $preparedErrors,
+                    $versionInfo->contentInfo->name
+                );
+            }
+
             $targetPath = sprintf(
                 '%s/%s',
                 $this->pathGenerator->getStoragePathForField(

eZ/Publish/Core/FieldType/Tests/BinaryFileTest.php

@@ -595,7 +595,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'
@@ -623,7 +623,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'

eZ/Publish/Core/FieldType/Tests/ImageTest.php

@@ -711,7 +711,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'
@@ -743,7 +743,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'
@@ -778,7 +778,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'
@@ -810,7 +810,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'

eZ/Publish/Core/FieldType/Tests/Integration/BinaryBase/BinaryBaseStorage/BinaryBaseStorageTest.php

@@ -13,6 +13,7 @@
 use eZ\Publish\Core\FieldType\BinaryBase\BinaryBaseStorage\Gateway;
 use eZ\Publish\Core\FieldType\BinaryFile\BinaryFileStorage\Gateway\DoctrineStorage;
 use eZ\Publish\Core\FieldType\Tests\Integration\BaseCoreFieldTypeIntegrationTest;
+use eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator;
 use eZ\Publish\Core\IO\IOServiceInterface;
 use eZ\Publish\Core\IO\Values\BinaryFile;
 use eZ\Publish\Core\IO\Values\BinaryFileCreateStruct;
@@ -36,13 +37,19 @@ class BinaryBaseStorageTest extends BaseCoreFieldTypeIntegrationTest
     /** @var \eZ\Publish\Core\FieldType\BinaryBase\BinaryBaseStorage|\PHPUnit\Framework\MockObject\MockObject */
     protected $storage;
 
+    /** @var \eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator&\PHPUnit\Framework\MockObject\MockObject */
+    protected $fileExtensionBlackListValidatorMock;
+
     protected function setUp(): void
     {
         parent::setUp();
 
         $this->gateway = $this->getStorageGateway();
         $this->pathGeneratorMock = $this->createMock(PathGenerator::class);
         $this->ioServiceMock = $this->createMock(IOServiceInterface::class);
+        $this->fileExtensionBlackListValidatorMock = $this->createMock(
+            FileExtensionBlackListValidator::class
+        );
         $this->storage = $this->getMockBuilder(BinaryBaseStorage::class)
             ->onlyMethods([])
             ->setConstructorArgs(
@@ -51,6 +58,7 @@ protected function setUp(): void
                     $this->ioServiceMock,
                     $this->pathGeneratorMock,
                     $this->createMock(MimeTypeDetector::class),
+                    $this->fileExtensionBlackListValidatorMock,
                 ]
             )
             ->getMock();

eZ/Publish/Core/FieldType/Tests/MediaTest.php

@@ -761,7 +761,7 @@ public function provideInvalidDataForValidate()
                 ),
                 [
                     new ValidationError(
-                        'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                        'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                         null,
                         ['%extensionsBlackList%' => implode(', ', $this->blackListedExtensions)],
                         'fileExtensionBlackList'

eZ/Publish/Core/FieldType/Validator/FileExtensionBlackListValidator.php

@@ -46,23 +46,40 @@ public function validateConstraints($constraints)
      * {@inheritdoc}
      */
     public function validate(BaseValue $value)
+    {
+        $this->errors = [];
+
+        $this->validateFileExtension($value->fileName);
+
+        return empty($this->errors);
+    }
+
+    public function validateFileExtension(string $fileName): void
     {
         if (
-            pathinfo($value->fileName, PATHINFO_BASENAME) !== $value->fileName ||
-            in_array(strtolower(pathinfo($value->fileName, PATHINFO_EXTENSION)), $this->constraints['extensionsBlackList'], true)
+            pathinfo($fileName, PATHINFO_BASENAME) !== $fileName
+            || in_array(
+                strtolower(pathinfo($fileName, PATHINFO_EXTENSION)),
+                $this->constraints['extensionsBlackList'],
+                true
+            )
         ) {
             $this->errors[] = new ValidationError(
-                'A valid file is required. Following file extensions are on the blacklist: %extensionsBlackList%',
+                'A valid file is required. The following file extensions are not allowed: %extensionsBlackList%',
                 null,
                 [
                     '%extensionsBlackList%' => implode(', ', $this->constraints['extensionsBlackList']),
                 ],
                 'fileExtensionBlackList'
             );
-
-            return false;
         }
+    }
 
-        return true;
+    /**
+     * @return array<\eZ\Publish\SPI\FieldType\ValidationError>
+     */
+    public function getErrors(): array
+    {
+        return $this->errors;
     }
 }

eZ/Publish/Core/settings/fieldtype_external_storages.yml

@@ -2,10 +2,11 @@ services:
     ezpublish.fieldType.ezbinaryfile.externalStorage:
         class: eZ\Publish\Core\FieldType\BinaryFile\BinaryFileStorage
         arguments:
-            - "@ezpublish.fieldType.ezbinaryfile.storage_gateway"
-            - "@ezpublish.fieldType.ezbinaryfile.io_service"
-            - "@ezpublish.fieldType.ezbinaryfile.pathGenerator"
-            - "@ezpublish.core.io.mimeTypeDetector"
+            $gateway: '@ezpublish.fieldType.ezbinaryfile.storage_gateway'
+            $ioService: '@ezpublish.fieldType.ezbinaryfile.io_service'
+            $pathGenerator: '@ezpublish.fieldType.ezbinaryfile.pathGenerator'
+            $mimeTypeDetector: '@ezpublish.core.io.mimeTypeDetector'
+            $fileExtensionBlackListValidator: '@ezpublish.fieldType.validator.black_list'
         tags:
             - {name: ezplatform.field_type.external_storage_handler, alias: ezbinaryfile}
 
@@ -19,6 +20,7 @@ services:
             $deprecationWarner: '@ezpublish.utils.deprecation_warner'
             $aliasCleaner: '@eZ\Publish\Core\FieldType\Image\AliasCleanerInterface'
             $filePathNormalizer: '@eZ\Publish\Core\IO\FilePathNormalizerInterface'
+            $fileExtensionBlackListValidator: '@ezpublish.fieldType.validator.black_list'
         tags:
             - {name: ezplatform.field_type.external_storage_handler, alias: ezimage}
 
@@ -31,10 +33,11 @@ services:
     ezpublish.fieldType.ezmedia.externalStorage:
         class: eZ\Publish\Core\FieldType\Media\MediaStorage
         arguments:
-            - "@ezpublish.fieldType.ezmedia.storage_gateway"
-            - "@ezpublish.fieldType.ezbinaryfile.io_service"
-            - "@ezpublish.fieldType.ezbinaryfile.pathGenerator"
-            - "@ezpublish.core.io.mimeTypeDetector"
+            $gateway: '@ezpublish.fieldType.ezmedia.storage_gateway'
+            $ioService: '@ezpublish.fieldType.ezbinaryfile.io_service'
+            $pathGenerator: '@ezpublish.fieldType.ezbinaryfile.pathGenerator'
+            $mimeTypeDetector: '@ezpublish.core.io.mimeTypeDetector'
+            $fileExtensionBlackListValidator: '@ezpublish.fieldType.validator.black_list'
         tags:
             - {name: ezplatform.field_type.external_storage_handler, alias: ezmedia}
 

eZ/Publish/SPI/Tests/FieldType/BinaryFileIntegrationTest.php

@@ -7,6 +7,7 @@
 namespace eZ\Publish\SPI\Tests\FieldType;
 
 use eZ\Publish\Core\FieldType;
+use eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator;
 use eZ\Publish\Core\IO\MimeTypeDetector\FileInfo;
 use eZ\Publish\Core\Persistence\Legacy;
 use eZ\Publish\SPI\Persistence\Content;
@@ -38,6 +39,9 @@
  */
 class BinaryFileIntegrationTest extends FileBaseIntegrationTest
 {
+    /** @var \eZ\Publish\Core\FieldType\Validator\FileExtensionBlackListValidator&\PHPUnit\Framework\MockObject\MockObject */
+    private $fileExtensionBlackListValidator;
+
     /**
      * Returns the storage identifier prefix used by the file service.
      *
@@ -71,6 +75,7 @@ public function getCustomHandler()
         $fieldType->setTransformationProcessor($this->getTransformationProcessor());
 
         $this->ioService = self::$container->get('ezpublish.fieldType.ezbinaryfile.io_service');
+        $this->fileExtensionBlackListValidator = $this->createMock(FileExtensionBlackListValidator::class);
 
         return $this->getHandler(
             'ezbinaryfile',
@@ -80,7 +85,8 @@ public function getCustomHandler()
                 new FieldType\BinaryFile\BinaryFileStorage\Gateway\DoctrineStorage($this->getDatabaseConnection()),
                 $this->ioService,
                 new FieldType\BinaryBase\PathGenerator\LegacyPathGenerator(),
-                new FileInfo()
+                new FileInfo(),
+                $this->fileExtensionBlackListValidator
             )
         );
     }