Move filename validation out of the Router and into the FilesAdaptor (#6157)

* Move filename validation out of the Router and into the FilesAdaptor * Address PR comments * Update unittests to handle FilesAdapter interface change * Make validateFilename optional
2019-10-26 19:15:21 -07:00
parent 93fe6b44e4
commit 1c8d4a6519
7 changed files with 93 additions and 22 deletions
--- a/src/Adapters/Files/FilesAdapter.js
+++ b/src/Adapters/Files/FilesAdapter.js
@@ -8,12 +8,16 @@
 // * deleteFile(filename)
 // * getFileData(filename)
 // * getFileLocation(config, filename)
+// Adapter classes should implement the following functions:
+// * validateFilename(filename)
+// * handleFileStream(filename, req, res, contentType)
 //
 // Default is GridFSBucketAdapter, which requires mongo
 // and for the API server to be using the DatabaseController with Mongo
 // database adapter.

 import type { Config } from '../../Config';
+import Parse from 'parse/node';
 /**
 * @module Adapters
 */
@@ -56,6 +60,46 @@ export class FilesAdapter {
   * @return {string} Absolute URL
   */
  getFileLocation(config: Config, filename: string): string {}
+
+  /** Validate a filename for this adapter type
+   *
+   * @param {string} filename
+   *
+   * @returns {null|Parse.Error} null if there are no errors
+   */
+  // validateFilename(filename: string): ?Parse.Error {}
+
+  /** Handles Byte-Range Requests for Streaming
+   *
+   * @param {string} filename
+   * @param {object} req
+   * @param {object} res
+   * @param {string} contentType
+   *
+   * @returns {Promise} Data for byte range
+   */
+  // handleFileStream(filename: string, res: any, req: any, contentType: string): Promise
+}
+
+/**
+ * Simple filename validation
+ *
+ * @param filename
+ * @returns {null|Parse.Error}
+ */
+export function validateFilename(filename): ?Parse.Error {
+  if (filename.length > 128) {
+    return new Parse.Error(Parse.Error.INVALID_FILE_NAME, 'Filename too long.');
+  }
+
+  const regx = /^[_a-zA-Z0-9][a-zA-Z0-9@. ~_-]*$/;
+  if (!filename.match(regx)) {
+    return new Parse.Error(
+      Parse.Error.INVALID_FILE_NAME,
+      'Filename contains invalid characters.'
+    );
+  }
+  return null;
 }

 export default FilesAdapter;
--- a/src/Adapters/Files/GridFSBucketAdapter.js
+++ b/src/Adapters/Files/GridFSBucketAdapter.js
@@ -8,7 +8,7 @@

 // @flow-disable-next
 import { MongoClient, GridFSBucket, Db } from 'mongodb';
-import { FilesAdapter } from './FilesAdapter';
+import { FilesAdapter, validateFilename } from './FilesAdapter';
 import defaults from '../../defaults';

 export class GridFSBucketAdapter extends FilesAdapter {
@@ -139,6 +139,10 @@ export class GridFSBucketAdapter extends FilesAdapter {
    }
    return this._client.close(false);
  }
+
+  validateFilename(filename) {
+    return validateFilename(filename);
+  }
 }

 export default GridFSBucketAdapter;
--- a/src/Adapters/Files/GridStoreAdapter.js
+++ b/src/Adapters/Files/GridStoreAdapter.js
@@ -9,7 +9,7 @@

 // @flow-disable-next
 import { MongoClient, GridStore, Db } from 'mongodb';
-import { FilesAdapter } from './FilesAdapter';
+import { FilesAdapter, validateFilename } from './FilesAdapter';
 import defaults from '../../defaults';

 export class GridStoreAdapter extends FilesAdapter {
@@ -110,6 +110,10 @@ export class GridStoreAdapter extends FilesAdapter {
    }
    return this._client.close(false);
  }
+
+  validateFilename(filename) {
+    return validateFilename(filename);
+  }
 }

 // handleRangeRequest is licensed under Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/).