Security fixes - sanitizing file upload

Author: rxtur

src/Blogifier.Core/Providers/PostProvider.cs

@@ -236,8 +236,8 @@ public async Task<bool> Add(Post post)
 			post.DateCreated = DateTime.UtcNow;
 
             // sanitize HTML fields
-            post.Content = post.Content.RemoveScriptTags();
-            post.Description = post.Description.RemoveScriptTags();
+            post.Content = post.Content.RemoveScriptTags().RemoveImgTags();
+            post.Description = post.Description.RemoveScriptTags().RemoveImgTags();
 
 			await _db.Posts.AddAsync(post);
 			return await _db.SaveChangesAsync() > 0;
@@ -251,8 +251,8 @@ public async Task<bool> Update(Post post)
 
 			existing.Slug = post.Slug;
 			existing.Title = post.Title;
-			existing.Description = post.Description.RemoveScriptTags();
-			existing.Content = post.Content.RemoveScriptTags();
+			existing.Description = post.Description.RemoveScriptTags().RemoveImgTags();
+			existing.Content = post.Content.RemoveScriptTags().RemoveImgTags();
 			existing.Cover = post.Cover;
 			existing.PostType = post.PostType;
 			existing.Published = post.Published;

src/Blogifier.Core/Providers/StorageProvider.cs

@@ -1,6 +1,7 @@
 using Blogifier.Core.Extensions;
 using Blogifier.Shared;
 using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
 using System;
 using System.Collections.Generic;
 using System.IO;
@@ -26,10 +27,12 @@ public class StorageProvider : IStorageProvider
 	{
 		private string _storageRoot;
 		private readonly string _slash = Path.DirectorySeparatorChar.ToString();
+		private readonly IConfiguration _configuration;
 
-		public StorageProvider()
+		public StorageProvider(IConfiguration configuration)
 		{
 			_storageRoot = $"{ContentRoot}{_slash}wwwroot{_slash}data{_slash}";
+			_configuration = configuration;
 		}
 
 		public bool FileExists(string path)
@@ -103,6 +106,13 @@ public async Task<bool> UploadFormFile(IFormFile file, string path = "")
 			VerifyPath(path);
 
 			var fileName = GetFileName(file.FileName);
+
+			if(InvalidFileName(fileName))
+			{
+				Serilog.Log.Error($"Invalid file name: {fileName}");
+				return false;
+			}
+
 			var filePath = string.IsNullOrEmpty(path) ?
 				 Path.Combine(_storageRoot, fileName) :
 				 Path.Combine(_storageRoot, path + _slash + fileName);
@@ -307,6 +317,27 @@ string GetImgSrcValue(string imgTag)
 			return imgTag.Substring(srcStart, srcEnd - srcStart);
 		}
 
+		bool InvalidFileName(string fileName)
+      {
+			List<string> fileExtensions = new List<string>() { "png", "gif", "jpeg", "jpg", "zip", "7z", "pdf", "doc", "docx", "xls", "xlsx", "mp3", "mp4", "avi" };
+         string configFileExtensions = _configuration.GetSection("Blogifier").GetValue<string>("FileExtensions");
+			
+			if(!string.IsNullOrEmpty(configFileExtensions))
+			{
+				fileExtensions = new List<string>(configFileExtensions.Split(','));
+			}
+
+			foreach(string ext in fileExtensions)
+			{
+				if(fileName.EndsWith(ext))
+				{
+					return false;
+				}
+			}
+
+			return true;
+      }
+
 		#endregion
 	}
 }

src/Blogifier.Shared/Extensions/StringExtensions.cs

@@ -37,5 +37,11 @@ public static string RemoveScriptTags(this string str)
             Regex scriptRegex = new Regex(@"<script[^>]*>[\s\S]*?</script>");
             return scriptRegex.Replace(str, "");
         }
+
+        public static string RemoveImgTags(this string str)
+        {
+            Regex scriptRegex = new Regex(@"<img[^>]*>[\s\S]*?>");
+            return scriptRegex.Replace(str, "");
+        }
     }
 }

src/Blogifier/appsettings.json

@@ -7,10 +7,11 @@
 		}
 	},
 	"AllowedHosts": "*",
-  "Blogifier": {
-    "DbProvider": "SQLite",
-    "ConnString": "Data Source=Blog.db",
-    "Salt": "SECRET-CHANGE-ME!",
-    "DemoMode": false
-  }
+	"Blogifier": {
+		"DbProvider": "SQLite",
+		"ConnString": "Data Source=Blog.db",
+		"Salt": "SECRET-CHANGE-ME!",
+		"DemoMode": false,
+		"FileExtensions": "png,gif,jpeg,jpg,zip,7z,pdf,doc,docx,xls,xlsx,mp3,mp4,avi"
+	}
 }

tests/Blogifier.Tests/StorageProviderTests.cs

@@ -1,4 +1,6 @@
 using Blogifier.Core.Providers;
+using Microsoft.Extensions.Configuration;
+using System.Collections.Generic;
 using System.Threading.Tasks;
 using Xunit;
 
@@ -31,7 +33,15 @@ public async Task CanUploadBase64Image()
 
       IStorageProvider GetSut()
       {
-         return new StorageProvider();
+         var inMemorySettings = new Dictionary<string, string> {
+            {"Blgofier:FileExtensions", "png,gif,jpeg,jpg,zip"}
+         };
+
+         IConfiguration configuration = new ConfigurationBuilder()
+            .AddInMemoryCollection(inMemorySettings)
+            .Build();
+
+         return new StorageProvider(configuration);
       }
    }
 }