public void UnzipMediaFileArchiveNonAdministratorWhitelistTest()
{
// Test unzip some files as a non administrator user but with a white list
StorageProvider.SavedStreams.Clear();
StubWorkContextAccessor.WorkContextImpl.StubSite.DefaultSuperUser = "******";
MediaSettingsPart mediaSettingsPart = new MediaSettingsPart {
Record = new MediaSettingsPartRecord {
UploadAllowedFileTypeWhitelist = "txt dll config"
}
};
StubWorkContextAccessor.WorkContextImpl._initMethod = workContext => {
workContext.CurrentSite.ContentItem.Weld(mediaSettingsPart);
};
MediaService.UnzipMediaFileArchiveAccessor(FolderName1, CreateZipMemoryStream());
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, TextFileName)), Is.True, "text files are allowed by the white list for non super users");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, PaddedTextFileName)), Is.True, "padded text files are allowed for super users");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, DllFileName)), Is.True, "dll files are allowed by the white list for non super users");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, ZipFileName)), Is.False, "Recursive zip archive files are not allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, WebconfigFileName)), Is.False, "web.config files are never allowed even if config extensions are");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, NoExtensionFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, FinalDottedWebconfigFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, FinalDottedTextFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, PaddedWebconfigFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Count, Is.EqualTo(3));
}
/// <summary>
/// Verifies if a file is allowed based on its name and the policies defined by the black / white lists.
/// </summary>
/// <param name="fileName">The file name of the file to validate.</param>
/// <param name="allowZip">Boolean value indicating weather zip files are allowed.</param>
/// <returns>True if the file is allowed; false if otherwise.</returns>
public bool FileAllowed(string fileName, bool allowZip)
{
string localFileName = GetFileName(fileName);
string extension = GetExtension(localFileName);
if (string.IsNullOrEmpty(localFileName) || string.IsNullOrEmpty(extension))
{
return(false);
}
ISite currentSite = _orchardServices.WorkContext.CurrentSite;
IUser currentUser = _orchardServices.WorkContext.CurrentUser;
// zip files at the top level are allowed since this is how you upload multiple files at once.
if (IsZipFile(extension))
{
return(allowZip);
}
// whitelist does not apply to the superuser
if (currentUser == null || !currentSite.SuperUser.Equals(currentUser.UserName, StringComparison.Ordinal))
{
// must be in the whitelist
MediaSettingsPart mediaSettings = currentSite.As <MediaSettingsPart>();
if (mediaSettings == null)
{
return(false);
}
if (String.IsNullOrWhiteSpace(mediaSettings.UploadAllowedFileTypeWhitelist))
{
return(true);
}
if (!mediaSettings.UploadAllowedFileTypeWhitelist.ToUpperInvariant().Split(' ').Contains(extension.ToUpperInvariant()))
{
return(false);
}
}
// blacklist always applies
if (string.Equals(localFileName, "web.config", StringComparison.OrdinalIgnoreCase))
{
return(false);
}
return(true);
}
public void WebConfigIsBlackListed()
{
StorageProvider.SavedStreams.Clear();
StubWorkContextAccessor.WorkContextImpl.StubSite.DefaultSuperUser = "******";
MediaSettingsPart mediaSettingsPart = new MediaSettingsPart {
Record = new MediaSettingsPartRecord {
UploadAllowedFileTypeWhitelist = "txt dll config"
}
};
StubWorkContextAccessor.WorkContextImpl._initMethod = workContext => {
workContext.CurrentSite.ContentItem.Weld(mediaSettingsPart);
};
Assert.That(MediaService.FileAllowedAccessor("web.config", true), Is.False);
Assert.That(MediaService.FileAllowedAccessor("dummy/web.config", true), Is.False);
}
public void WebConfigIsBlackListed() {
StorageProvider.SavedStreams.Clear();
StubWorkContextAccessor.WorkContextImpl.StubSite.DefaultSuperUser = "******";
MediaSettingsPart mediaSettingsPart = new MediaSettingsPart {
Record = new MediaSettingsPartRecord { UploadAllowedFileTypeWhitelist = "txt dll config" }
};
StubWorkContextAccessor.WorkContextImpl._initMethod = workContext => {
workContext.CurrentSite.ContentItem.Weld(mediaSettingsPart);
};
Assert.That(MediaService.FileAllowedAccessor("web.config", true), Is.False);
Assert.That(MediaService.FileAllowedAccessor("dummy/web.config", true), Is.False);
}
public void UnzipMediaFileArchiveNonAdministratorWhitelistTest() {
// Test unzip some files as a non administrator user but with a white list
StorageProvider.SavedStreams.Clear();
StubWorkContextAccessor.WorkContextImpl.StubSite.DefaultSuperUser = "******";
MediaSettingsPart mediaSettingsPart = new MediaSettingsPart {
Record = new MediaSettingsPartRecord { UploadAllowedFileTypeWhitelist = "txt dll config" }
};
StubWorkContextAccessor.WorkContextImpl._initMethod = workContext => {
workContext.CurrentSite.ContentItem.Weld(mediaSettingsPart);
};
MediaService.UnzipMediaFileArchiveAccessor(FolderName1, CreateZipMemoryStream());
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, TextFileName)), Is.True, "text files are allowed by the white list for non super users");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, PaddedTextFileName)), Is.True, "padded text files are allowed for super users");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, DllFileName)), Is.True, "dll files are allowed by the white list for non super users");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, ZipFileName)), Is.False, "Recursive zip archive files are not allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, WebconfigFileName)), Is.False, "web.config files are never allowed even if config extensions are");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, NoExtensionFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, FinalDottedWebconfigFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, FinalDottedTextFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Contains(StorageProvider.Combine(FolderName1, PaddedWebconfigFileName)), Is.False, "no extension files are never allowed");
Assert.That(StorageProvider.SavedStreams.Count, Is.EqualTo(3));
}
