[COMPONENT][Attachment][Controller] Security fix: We were not ensuring that attachment was related to note

This commit is contained in:
Diogo Peralta Cordeiro 2022-03-07 17:09:53 +00:00
parent 47f03d4c9f
commit 5c7b079df5
No known key found for this signature in database
GPG Key ID: 18D2D35001FBFAB0

View File

@ -35,6 +35,7 @@ use App\Util\Exception\NoSuchFileException;
use App\Util\Exception\NotFoundException;
use App\Util\Exception\ServerException;
use Component\Attachment\Entity\AttachmentThumbnail;
use Component\Attachment\Entity\AttachmentToNote;
use Symfony\Component\HttpFoundation\HeaderUtils;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
@ -50,7 +51,12 @@ class Attachment extends Controller
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
$note = \is_int($note) ? Note::getById($note) : $note;
// Before anything, ensure proper scope
// Before anything, two very important things!
// first: ensure this attachment is associated with this note
if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
throw new ClientException(_m('No such attachment.'), 404);
}
// second: ensure proper scope
if (!$note->isVisibleTo(Common::actor())) {
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
}
@ -145,12 +151,18 @@ class Attachment extends Controller
*/
public function attachmentThumbnailWithNote(Request $request, int $note_id, int $attachment_id, string $size = 'small'): Response
{
// Before anything, ensure proper scope
if (!Note::getById($note_id)->isVisibleTo(Common::actor())) {
throw new ClientException(_m('You don\'t have permissions to view this thumbnail.'), 401);
}
$attachment = DB::findOneBy('attachment', ['id' => $attachment_id]);
$note = Note::getById($note_id);
// Before anything, two very important things!
// first: ensure this attachment is associated with this note
if (DB::count(AttachmentToNote::class, ['attachment_id' => $attachment->getId(), 'note_id' => $note->getId()]) <= 0) {
throw new ClientException(_m('No such attachment.'), 404);
}
// second: ensure proper scope
if (!$note->isVisibleTo(Common::actor())) {
throw new ClientException(_m('You don\'t have permissions to view this attachment.'), 401);
}
$crop = Common::config('thumbnail', 'smart_crop');