Files
BookStack/app/Uploads/Controllers/AttachmentController.php
Dan Brown 01dc1e71c5 Attachments: Added more extensive URL filtering
Added a central URLFilter class to check & clean URLs used for
attachments, which is also used for validation, and by the purifier to
standardise protocols (and to make protocol config easier in future).

Thanks to mfk25 for reporting.
2026-07-01 00:41:19 +01:00

262 lines
9.0 KiB
PHP

<?php
namespace BookStack\Uploads\Controllers;
use BookStack\Entities\EntityExistsRule;
use BookStack\Entities\Queries\PageQueries;
use BookStack\Entities\Repos\PageRepo;
use BookStack\Exceptions\FileUploadException;
use BookStack\Exceptions\NotFoundException;
use BookStack\Http\Controller;
use BookStack\Permissions\Permission;
use BookStack\Uploads\Attachment;
use BookStack\Uploads\AttachmentService;
use BookStack\Util\UrlFilter;
use Exception;
use Illuminate\Contracts\Filesystem\FileNotFoundException;
use Illuminate\Http\Request;
use Illuminate\Support\MessageBag;
use Illuminate\Validation\ValidationException;
class AttachmentController extends Controller
{
public function __construct(
protected AttachmentService $attachmentService,
protected PageQueries $pageQueries,
protected PageRepo $pageRepo
) {
}
/**
* Endpoint at which attachments are uploaded to.
*
* @throws ValidationException
* @throws NotFoundException
*/
public function upload(Request $request)
{
$this->validate($request, [
'uploaded_to' => ['required', 'integer', new EntityExistsRule('page')],
'file' => array_merge(['required'], $this->attachmentService->getFileValidationRules()),
]);
$pageId = $request->input('uploaded_to');
$page = $this->pageQueries->findVisibleByIdOrFail($pageId);
$this->checkPermission(Permission::AttachmentCreateAll);
$this->checkOwnablePermission(Permission::PageUpdate, $page);
$uploadedFile = $request->file('file');
try {
$attachment = $this->attachmentService->saveNewUpload($uploadedFile, $pageId);
} catch (FileUploadException $e) {
return response($e->getMessage(), 500);
}
return response()->json($attachment);
}
/**
* Update an uploaded attachment.
*
* @throws ValidationException
*/
public function uploadUpdate(Request $request, $attachmentId)
{
$this->validate($request, [
'file' => array_merge(['required'], $this->attachmentService->getFileValidationRules()),
]);
/** @var Attachment $attachment */
$attachment = Attachment::query()->findOrFail($attachmentId);
$this->checkOwnablePermission(Permission::PageView, $attachment->page);
$this->checkOwnablePermission(Permission::PageUpdate, $attachment->page);
$this->checkOwnablePermission(Permission::AttachmentUpdate, $attachment);
$uploadedFile = $request->file('file');
try {
$attachment = $this->attachmentService->saveUpdatedUpload($uploadedFile, $attachment);
} catch (FileUploadException $e) {
return response($e->getMessage(), 500);
}
return response()->json($attachment);
}
/**
* Get the update form for an attachment.
*/
public function getUpdateForm(string $attachmentId)
{
/** @var Attachment $attachment */
$attachment = Attachment::query()->findOrFail($attachmentId);
$this->checkOwnablePermission(Permission::PageUpdate, $attachment->page);
$this->checkOwnablePermission(Permission::AttachmentCreate, $attachment);
return view('attachments.manager-edit-form', [
'attachment' => $attachment,
]);
}
/**
* Update the details of an existing file.
*/
public function update(Request $request, string $attachmentId)
{
/** @var Attachment $attachment */
$attachment = Attachment::query()->findOrFail($attachmentId);
$this->checkOwnablePermission(Permission::PageView, $attachment->page);
$this->checkOwnablePermission(Permission::PageUpdate, $attachment->page);
$this->checkOwnablePermission(Permission::AttachmentUpdate, $attachment);
try {
$this->validate($request, [
'attachment_edit_name' => ['required', 'string', 'min:1', 'max:255'],
'attachment_edit_url' => ['string', 'min:1', 'max:2000', 'safe_url'],
]);
} catch (ValidationException $exception) {
return response()->view('attachments.manager-edit-form', array_merge($request->only(['attachment_edit_name', 'attachment_edit_url']), [
'attachment' => $attachment,
'errors' => new MessageBag($exception->errors()),
]), 422);
}
$attachment = $this->attachmentService->updateFile($attachment, [
'name' => $request->input('attachment_edit_name'),
'link' => $request->input('attachment_edit_url'),
]);
return view('attachments.manager-edit-form', [
'attachment' => $attachment,
]);
}
/**
* Attach a link to a page.
*
* @throws NotFoundException
*/
public function attachLink(Request $request)
{
$pageId = $request->input('attachment_link_uploaded_to');
$page = $this->pageQueries->findVisibleByIdOrFail($pageId);
$this->checkPermission(Permission::AttachmentCreateAll);
$this->checkOwnablePermission(Permission::PageUpdate, $page);
try {
$this->validate($request, [
'attachment_link_uploaded_to' => ['required', 'integer', new EntityExistsRule('page')],
'attachment_link_name' => ['required', 'string', 'min:1', 'max:255'],
'attachment_link_url' => ['required', 'string', 'min:1', 'max:2000', 'safe_url'],
]);
} catch (ValidationException $exception) {
return response()->view('attachments.manager-link-form', array_merge($request->only(['attachment_link_name', 'attachment_link_url']), [
'pageId' => $pageId,
'errors' => new MessageBag($exception->errors()),
]), 422);
}
$attachmentName = $request->input('attachment_link_name');
$link = $request->input('attachment_link_url');
$this->attachmentService->saveNewFromLink($attachmentName, $link, intval($pageId));
return view('attachments.manager-link-form', [
'pageId' => $pageId,
]);
}
/**
* Get the attachments for a specific page.
*
* @throws NotFoundException
*/
public function listForPage(int $pageId)
{
$page = $this->pageQueries->findVisibleByIdOrFail($pageId);
return view('attachments.manager-list', [
'attachments' => $page->attachments->all(),
]);
}
/**
* Update the attachment sorting.
*
* @throws ValidationException
* @throws NotFoundException
*/
public function sortForPage(Request $request, int $pageId)
{
$this->validate($request, [
'order' => ['required', 'array'],
]);
$page = $this->pageQueries->findVisibleByIdOrFail($pageId);
$this->checkOwnablePermission(Permission::PageUpdate, $page);
$attachmentOrder = $request->input('order');
$this->attachmentService->updateFileOrderWithinPage($attachmentOrder, $pageId);
return response()->json(['message' => trans('entities.attachments_order_updated')]);
}
/**
* Get an attachment from storage.
*
* @throws FileNotFoundException
* @throws NotFoundException
*/
public function get(Request $request, string $attachmentId)
{
/** @var Attachment $attachment */
$attachment = Attachment::query()->findOrFail($attachmentId);
try {
$page = $this->pageQueries->findVisibleByIdOrFail($attachment->uploaded_to);
} catch (NotFoundException $exception) {
throw new NotFoundException(trans('errors.attachment_not_found'));
}
if ($attachment->external) {
$url = (new UrlFilter($attachment->path))->clean();
return redirect($url);
}
$fileName = $attachment->getFileName();
$attachmentStream = $this->attachmentService->streamAttachmentFromStorage($attachment);
$attachmentSize = $this->attachmentService->getAttachmentFileSize($attachment);
if ($request->input('open') === 'true') {
return $this->download()->streamedInline($attachmentStream, $fileName, $attachmentSize);
}
return $this->download()->streamedDirectly($attachmentStream, $fileName, $attachmentSize);
}
/**
* Delete a specific attachment in the system.
*
* @throws Exception
*/
public function delete(string $attachmentId)
{
/** @var Attachment $attachment */
$attachment = Attachment::query()->findOrFail($attachmentId);
try {
$this->pageQueries->findVisibleByIdOrFail($attachment->uploaded_to);
} catch (NotFoundException $exception) {
throw new NotFoundException(trans('errors.attachment_not_found'));
}
$this->checkOwnablePermission(Permission::AttachmentDelete, $attachment);
$this->attachmentService->deleteFile($attachment);
return response()->json(['message' => trans('entities.attachments_deleted')]);
}
}