From e1cefd7274d3a2691eebc360431beba6e0de8d74 Mon Sep 17 00:00:00 2001
From: baozhoutao <baozhoutao@hotoa.com>
Date: Mon, 15 Apr 2024 18:22:13 +0800
Subject: [PATCH] =?UTF-8?q?fix=20[Task]:=202.6=E4=BD=BF=E7=94=A8=E7=8E=AF?=
 =?UTF-8?q?=E5=A2=83=E5=8F=98=E9=87=8FSTEEDOS=5FCFS=5FUPLOAD=5FDENY=5FEXT?=
 =?UTF-8?q?=E6=8E=A7=E5=88=B6,=20=E5=93=AA=E4=BA=9B=E6=A0=BC=E5=BC=8F?=
 =?UTF-8?q?=E7=9A=84=E6=96=87=E4=BB=B6=E7=A6=81=E6=AD=A2=E4=B8=8A=E4=BC=A0?=
 =?UTF-8?q?.=20#6725?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

https://github.com/steedos/steedos-platform/issues/6725
---
 .../default/routes/api_v4_instances_s3.router.js | 16 ++++++++++++++--
 .../main/default/routes/s3.router.js             | 12 +++++++++---
 .../main/default/routes/s3_collection.router.js  | 14 ++++++++++++--
 3 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/services/service-files/main/default/routes/api_v4_instances_s3.router.js b/services/service-files/main/default/routes/api_v4_instances_s3.router.js
index 7941d04c58..c1c86ff7b6 100644
--- a/services/service-files/main/default/routes/api_v4_instances_s3.router.js
+++ b/services/service-files/main/default/routes/api_v4_instances_s3.router.js
@@ -1,14 +1,15 @@
 /*
  * @Author: sunhaolin@hotoa.com
  * @Date: 2022-06-08 09:38:56
- * @LastEditors: sunhaolin@hotoa.com
- * @LastEditTime: 2022-08-03 11:33:16
+ * @LastEditors: baozhoutao@steedos.com
+ * @LastEditTime: 2024-04-15 18:18:09
  * @Description: 
  */
 const express = require("express");
 const router = express.Router();
 const core = require('@steedos/core');
 const formidable = require('formidable');
+const _ = require('lodash')
 const {
     getCollection,
     File,
@@ -64,6 +65,17 @@ router.post('/api/v4/instances/s3/', core.requireAuthentication, async function
 
                 const collection = await getCollection(DB_COLLECTION_NAME);
 
+                const deny_ext = _.split(process.env.STEEDOS_CFS_UPLOAD_DENY_EXT, ',');
+
+                const fileName = formatFileName(originalFilename, upload_from);
+
+                const name_split = fileName.split('.');
+                const extention = name_split.pop();
+
+                if(_.includes(deny_ext, extention)){
+                    throw new Error(`禁止上传「${extention}」附件`)
+                }
+
                 const newFile = new File({ name: formatFileName(originalFilename, upload_from), size, mimetype, fsCollectionName: FS_COLLECTION_NAME });
 
                 let parentId = '';
diff --git a/services/service-files/main/default/routes/s3.router.js b/services/service-files/main/default/routes/s3.router.js
index 2c413df1a7..b97d9be936 100644
--- a/services/service-files/main/default/routes/s3.router.js
+++ b/services/service-files/main/default/routes/s3.router.js
@@ -1,8 +1,8 @@
 /*
  * @Author: sunhaolin@hotoa.com
  * @Date: 2022-06-10 09:38:53
- * @LastEditors: sunhaolin@hotoa.com
- * @LastEditTime: 2023-06-12 16:47:12
+ * @LastEditors: baozhoutao@steedos.com
+ * @LastEditTime: 2024-04-15 18:18:33
  * @Description: 
  */
 
@@ -10,6 +10,7 @@ const express = require("express");
 const router = express.Router();
 const core = require('@steedos/core');
 const formidable = require('formidable');
+const _ = require('lodash')
 const {
     getCollection,
     File,
@@ -65,10 +66,15 @@ router.post('/s3/', core.requireAuthentication, async function (req, res) {
                 const newFile = new File({ name: formatFileName(originalFilename, upload_from), size, mimetype, fsCollectionName: FS_COLLECTION_NAME });
 
                 const filename = newFile.name;
-
+                
+                const deny_ext = _.split(process.env.STEEDOS_CFS_UPLOAD_DENY_EXT, ',');
                 const name_split = filename.split('.');
                 const extention = name_split.pop();
 
+                if(_.includes(deny_ext, extention)){
+                    throw new Error(`禁止上传「${extention}」附件`)
+                }
+
                 const metadata = {
                     owner,
                     owner_name,
diff --git a/services/service-files/main/default/routes/s3_collection.router.js b/services/service-files/main/default/routes/s3_collection.router.js
index 97e4283182..2ebf896a7c 100644
--- a/services/service-files/main/default/routes/s3_collection.router.js
+++ b/services/service-files/main/default/routes/s3_collection.router.js
@@ -1,8 +1,8 @@
 /*
  * @Author: sunhaolin@hotoa.com
  * @Date: 2022-06-10 09:38:53
- * @LastEditors: sunhaolin@hotoa.com
- * @LastEditTime: 2022-08-03 11:33:20
+ * @LastEditors: baozhoutao@steedos.com
+ * @LastEditTime: 2024-04-15 17:42:25
  * @Description: 
  */
 
@@ -10,6 +10,7 @@ const express = require("express");
 const router = express.Router();
 const core = require('@steedos/core');
 const formidable = require('formidable');
+const _ = require('lodash')
 const {
     getCollection,
     File,
@@ -47,6 +48,15 @@ router.post('/s3/:collection/', core.requireAuthentication, async function (req,
                     size
                 } = files.file;
 
+                const deny_ext = _.split(process.env.STEEDOS_CFS_UPLOAD_DENY_EXT, ',');
+                
+                const name_split = originalFilename.split('.');
+                const extention = name_split.pop();
+
+                if(_.includes(deny_ext, extention)){
+                    throw new Error(`禁止上传「${extention}」附件`)
+                }
+
                 const collection = await getCollection(DB_COLLECTION_NAME);
 
                 const newFile = new File({ name: originalFilename, size, mimetype, fsCollectionName: FS_COLLECTION_NAME });