public void UnzipMediaFileArchiveNonAdministratorWhitelistTest() { // Test unzip some files as a non administrator user but with a white list StorageProvider.SavedStreams.Clear(); StubWorkContextAccessor.WorkContextImpl.StubSite.DefaultSuperUser = "******"; MediaSettingsPart mediaSettingsPart = new MediaSettingsPart { Record = new MediaSettingsPartRecord { UploadAllowedFileTypeWhitelist = "txt dll config" } }; StubWorkContextAccessor.WorkContextImpl._initMethod = workContext => { workContext.CurrentSite.ContentItem.Weld(mediaSettingsPart); }; MediaService.UnzipMediaFileArchiveAccessor(FolderName1, CreateZipMemoryStream()); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, TextFileName)), Is.True, "text files are allowed by the white list for non super users"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, PaddedTextFileName)), Is.True, "padded text files are allowed for super users"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, DllFileName)), Is.True, "dll files are allowed by the white list for non super users"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, ZipFileName)), Is.False, "Recursive zip archive files are not allowed"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, WebconfigFileName)), Is.False, "web.config files are never allowed even if config extensions are"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, NoExtensionFileName)), Is.False, "no extension files are never allowed"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, FinalDottedWebconfigFileName)), Is.False, "no extension files are never allowed"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, FinalDottedTextFileName)), Is.False, "no extension files are never allowed"); Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, PaddedWebconfigFileName)), Is.False, "no extension files are never allowed"); Assert.That(StorageProvider.SavedStreams.Count, Is.EqualTo(3)); }
/// <summary> /// Verifies if a file is allowed based on its name and the policies defined by the black / white lists. /// </summary> /// <param name="fileName">The file name of the file to validate.</param> /// <param name="allowZip">Boolean value indicating weather zip files are allowed.</param> /// <returns>True if the file is allowed; false if otherwise.</returns> public bool FileAllowed(string fileName, bool allowZip) { string localFileName = GetFileName(fileName); string extension = GetExtension(localFileName); if (string.IsNullOrEmpty(localFileName) || string.IsNullOrEmpty(extension)) { return(false); } ISite currentSite = _orchardServices.WorkContext.CurrentSite; IUser currentUser = _orchardServices.WorkContext.CurrentUser; // zip files at the top level are allowed since this is how you upload multiple files at once. if (IsZipFile(extension)) { return(allowZip); } // whitelist does not apply to the superuser if (currentUser == null || !currentSite.SuperUser.Equals(currentUser.UserName, StringComparison.Ordinal)) { // must be in the whitelist MediaSettingsPart mediaSettings = currentSite.As <MediaSettingsPart>(); if (mediaSettings == null) { return(false); } if (String.IsNullOrWhiteSpace(mediaSettings.UploadAllowedFileTypeWhitelist)) { return(true); } if (!mediaSettings.UploadAllowedFileTypeWhitelist.ToUpperInvariant().Split(' ').Contains(extension.ToUpperInvariant())) { return(false); } } // blacklist always applies if (string.Equals(localFileName, "web.config", StringComparison.OrdinalIgnoreCase)) { return(false); } return(true); }
public void WebConfigIsBlackListed() { StorageProvider.SavedStreams.Clear(); StubWorkContextAccessor.WorkContextImpl.StubSite.DefaultSuperUser = "******"; MediaSettingsPart mediaSettingsPart = new MediaSettingsPart { Record = new MediaSettingsPartRecord { UploadAllowedFileTypeWhitelist = "txt dll config" } }; StubWorkContextAccessor.WorkContextImpl._initMethod = workContext => { workContext.CurrentSite.ContentItem.Weld(mediaSettingsPart); }; Assert.That(MediaService.FileAllowedAccessor("web.config", true), Is.False); Assert.That(MediaService.FileAllowedAccessor("dummy/web.config", true), Is.False); }