From 7b7652b50d46a9cd30eb36e0ba939971f3f8070b Mon Sep 17 00:00:00 2001
From: Tina_Azure <->
Date: Wed, 13 Sep 2023 14:08:51 +0200
Subject: [PATCH] Client side File Type and Blacklisted Character validation
---
src/main.cpp | 15 +++++++-
src/templateConstCollection.cpp | 3 ++
.../freelancer_Submission_Management_Add.html | 3 ++
.../freelancerSubmissionUpload.js.html | 37 +++++++++++++++++--
4 files changed, 52 insertions(+), 6 deletions(-)
diff --git a/src/main.cpp b/src/main.cpp
index 65b7143..f30b1a4 100644
--- a/src/main.cpp
+++ b/src/main.cpp
@@ -23,7 +23,6 @@ int main(int argc, char *argv[]) {
if (argc > 1)
configuration.configPath = argv[1];
-
#ifndef CROW_ENABLE_SSL
Utilities::errorOut("CROW_ENABLE_SSL is not defined and thus SSL is deactivated", true);
#endif
@@ -996,15 +995,27 @@ int main(int argc, char *argv[]) {
ctx[MUSTACHE_FREELANCER_MAXIMUM_STORAGE_IN_MB] = maxStorageInMB;
ctx[MUSTACHE_FREELANCER_MAXIMUM_FILE_NAME_SIZE] = configuration.submissionMaxFileNameSize;
- string allowedFiletypes;
+ string allowedFiletypes, forbiddenChars, forbiddenCharsSEP;
for (const string &filetype: configuration.submissionAllowedFiletypes) {
if (!allowedFiletypes.empty())
allowedFiletypes.append(",");
allowedFiletypes.append(".");
allowedFiletypes.append(filetype);
}
+ for (const string &character: configuration.submissionBlacklistedCharacters) {
+ if (!forbiddenChars.empty()) {
+ forbiddenChars.append(",");
+ forbiddenCharsSEP.append(MUSTACHE_GENERIC_SEPARATOR);
+ }
+ forbiddenChars.append(character);
+ string encodedChar = character;
+ Utilities::encodeString(encodedChar);
+ forbiddenCharsSEP.append(encodedChar);
+ }
ctx[MUSTACHE_FREELANCER_ALLOWED_FILE_TYPES_LIST_COMMA_SEPARATED] = allowedFiletypes;
+ ctx[MUSTACHE_FREELANCER_FORBIDDEN_FILE_CHARACTER_LIST_COMMA_SEPARATED] = forbiddenChars;
+ ctx[MUSTACHE_FREELANCER_FORBIDDEN_FILE_CHARACTER_LIST_SEP_SEPARATED] = forbiddenCharsSEP;
if (usedStorageInMB < maxStorageInMB)
ctx[MUSTACHE_FREELANCER_UPLOAD_AVAILIBLE] = true;
diff --git a/src/templateConstCollection.cpp b/src/templateConstCollection.cpp
index 348ba1c..1e8284c 100644
--- a/src/templateConstCollection.cpp
+++ b/src/templateConstCollection.cpp
@@ -77,6 +77,7 @@ namespace TemplateConstCollection {
const static std::string MUSTACHE_FREELANCER_SUBMISSION_ALIAS_ERROR = "SUBMISSION_ALIAS_ERROR";
const static std::string MUSTACHE_FREELANCER_SUBMISSION_ALIAS_ERROR_INVALID = "SUBMISSION_ALIAS_ERROR_INVALID";
const static std::string MUSTACHE_POST_ERROR = "POST_ERROR";
+ const static std::string MUSTACHE_GENERIC_SEPARATOR = "#SEP#";
//Mustache Cookie variable names
const static std::string MUSTACHE_COOKIE_LOGGED_IN = "COOKIE_LOGGED_IN";
@@ -97,6 +98,8 @@ namespace TemplateConstCollection {
const static std::string MUSTACHE_FREELANCER_MAXIMUM_STORAGE_IN_MB = "MAXIMUM_STORAGE_IN_MB";
const static std::string MUSTACHE_FREELANCER_MAXIMUM_FILE_NAME_SIZE = "MAXIMUM_FILE_NAME_SIZE";
const static std::string MUSTACHE_FREELANCER_ALLOWED_FILE_TYPES_LIST_COMMA_SEPARATED = "ALLOWED_FILE_TYPES_LIST_COMMA_SEPARATED";
+ const static std::string MUSTACHE_FREELANCER_FORBIDDEN_FILE_CHARACTER_LIST_COMMA_SEPARATED = "FORBIDDEN_FILE_CHARACTER_LIST_COMMA_SEPARATED";
+ const static std::string MUSTACHE_FREELANCER_FORBIDDEN_FILE_CHARACTER_LIST_SEP_SEPARATED = "FORBIDDEN_FILE_CHARACTER_LIST_SEP_SEPARATED";
const static std::string MUSTACHE_FREELANCER_UPLOAD_AVAILIBLE = "UPLOAD_AVAILIBLE";
//Cookie names
diff --git a/templates/freelancer_Submission_Management_Add.html b/templates/freelancer_Submission_Management_Add.html
index f8818a1..2024704 100644
--- a/templates/freelancer_Submission_Management_Add.html
+++ b/templates/freelancer_Submission_Management_Add.html
@@ -16,6 +16,9 @@
Allowed File Types: {{ALLOWED_FILE_TYPES_LIST_COMMA_SEPARATED}}
+
+ Forbidden Characters in the File Name: {{FORBIDDEN_FILE_CHARACTER_LIST_COMMA_SEPARATED}}
+
Allowed File Name Length: {{MAXIMUM_FILE_NAME_SIZE}}
diff --git a/templates/templateIncludes/freelancerSubmissionUpload.js.html b/templates/templateIncludes/freelancerSubmissionUpload.js.html
index 47d45f9..2c45c5e 100644
--- a/templates/templateIncludes/freelancerSubmissionUpload.js.html
+++ b/templates/templateIncludes/freelancerSubmissionUpload.js.html
@@ -9,16 +9,45 @@
const fileSize = file.size / 1024 / 1024;
const maxSize = {{MAXIMUM_STORAGE_IN_MB}} - {{USED_STORAGE_IN_MB}};
const maxFileNameLength = {{MAXIMUM_FILE_NAME_SIZE}};
- console.log(maxSize);
- console.log(maxFileNameLength);
+ const allowedFileTypeArray = "{{ALLOWED_FILE_TYPES_LIST_COMMA_SEPARATED}}".split(",");
+ const forbiddenFileCharArray = "{{FORBIDDEN_FILE_CHARACTER_LIST_SEP_SEPARATED}}".split("#SEP#");
+ var fileTypeIsValid = false;
+ var fileType;
+ var fileNameIncludesForbiddenChar = false;
+
+ allowedFileTypeArray.every(type => {
+ fileType = type;
+ if (file.name.substring(file.name.length - type.length) == type) {
+ fileTypeIsValid = true;
+ return false;
+ }
+ return true;
+ });
+
+ var filenameWithoutType = encodeURIComponent(file.name.substring(0, file.name.length - fileType.length));
+
+ forbiddenFileCharArray.every(char => {
+ if (filenameWithoutType.includes(char)) {
+ fileNameIncludesForbiddenChar = true;
+ return false;
+ }
+ return true;
+ });
+
+
if (fileSize > maxSize) {
alert('File size exceeds availible space by: ' + (Math.trunc((fileSize - maxSize) * 100) / 100) + ' MB');
unHide();
} else if(file.name.length > maxFileNameLength) {
alert('File name exceeds allowed length by ' + (file.name.length - maxFileNameLength) + ' characters');
unHide();
- }
- else {
+ }else if(!fileTypeIsValid) {
+ alert('Type of the file is invalid ' + file.name);
+ unHide();
+ }else if(fileNameIncludesForbiddenChar) {
+ alert('The file containes a forbidden character ' + file.name);
+ unHide();
+ } else {
var formdata = new FormData();
formdata.append("FILE_SUBMISSION", file);
var ajax = new XMLHttpRequest();