feat(storage policy): set deny/allow list for file extension and custom regexp (#2695)

master
Aaron Liu 2025-07-25 11:32:04 +08:00
parent 60bf0e02b3
commit c8c2a60adb
4 changed files with 84 additions and 18 deletions

View File

@ -41,6 +41,12 @@ type (
Token string `json:"token"`
// 允许的文件扩展名
FileType []string `json:"file_type"`
// IsFileTypeDenyList Whether above list is a deny list.
IsFileTypeDenyList bool `json:"is_file_type_deny_list,omitempty"`
// FileRegexp 文件扩展名正则表达式
NameRegexp string `json:"file_regexp,omitempty"`
// IsNameRegexp Whether above regexp is a deny list.
IsNameRegexpDenyList bool `json:"is_name_regexp_deny_list,omitempty"`
// OauthRedirect Oauth 重定向地址
OauthRedirect string `json:"od_redirect,omitempty"`
// CustomProxy whether to use custom-proxy to get file content

View File

@ -120,6 +120,20 @@ func (f *DBFS) Create(ctx context.Context, path *fs.URI, fileType types.FileType
ancestor = newFile(ancestor, newFolder)
} else {
// valide file name
policy, err := f.getPreferredPolicy(ctx, ancestor, 0)
if err != nil {
return nil, err
}
if err := validateExtension(desired[i], policy); err != nil {
return nil, fs.ErrIllegalObjectName.WithError(err)
}
if err := validateFileNameRegexp(desired[i], policy); err != nil {
return nil, fs.ErrIllegalObjectName.WithError(err)
}
file, err := f.createFile(ctx, ancestor, desired[i], fileType, o)
if err != nil {
return nil, err
@ -170,6 +184,10 @@ func (f *DBFS) Rename(ctx context.Context, path *fs.URI, newName string) (fs.Fil
if err := validateExtension(newName, policy); err != nil {
return nil, fs.ErrIllegalObjectName.WithError(err)
}
if err := validateFileNameRegexp(newName, policy); err != nil {
return nil, fs.ErrIllegalObjectName.WithError(err)
}
}
// Lock target

View File

@ -3,10 +3,12 @@ package dbfs
import (
"context"
"fmt"
"regexp"
"strings"
"github.com/cloudreve/Cloudreve/v4/ent"
"github.com/cloudreve/Cloudreve/v4/pkg/filemanager/fs"
"github.com/cloudreve/Cloudreve/v4/pkg/util"
"strings"
)
const MaxFileNameLength = 256
@ -30,18 +32,35 @@ func validateFileName(name string) error {
// validateExtension validates the file extension.
func validateExtension(name string, policy *ent.StoragePolicy) error {
// 不需要验证
if len(policy.Settings.FileType) == 0 {
return nil
}
if !util.IsInExtensionList(policy.Settings.FileType, name) {
inList := util.IsInExtensionList(policy.Settings.FileType, name)
if (policy.Settings.IsFileTypeDenyList && inList) || (!policy.Settings.IsFileTypeDenyList && !inList) {
return fmt.Errorf("file extension is not allowed")
}
return nil
}
func validateFileNameRegexp(name string, policy *ent.StoragePolicy) error {
if policy.Settings.NameRegexp == "" {
return nil
}
match, err := regexp.MatchString(policy.Settings.NameRegexp, name)
if err != nil {
return fmt.Errorf("invalid file name regexp: %s", err)
}
if (policy.Settings.IsNameRegexpDenyList && match) || (!policy.Settings.IsNameRegexpDenyList && !match) {
return fmt.Errorf("file name is not allowed by regexp")
}
return nil
}
// validateFileSize validates the file size.
func validateFileSize(size int64, policy *ent.StoragePolicy) error {
if policy.MaxSize == 0 {
@ -56,11 +75,15 @@ func validateFileSize(size int64, policy *ent.StoragePolicy) error {
// validateNewFile validates the upload request.
func validateNewFile(fileName string, size int64, policy *ent.StoragePolicy) error {
if err := validateFileName(fileName); err != nil {
return err
return fs.ErrIllegalObjectName.WithError(err)
}
if err := validateExtension(fileName, policy); err != nil {
return err
return fs.ErrIllegalObjectName.WithError(err)
}
if err := validateFileNameRegexp(fileName, policy); err != nil {
return fs.ErrIllegalObjectName.WithError(err)
}
if err := validateFileSize(size, policy); err != nil {

View File

@ -250,12 +250,15 @@ type DirectLink struct {
}
type StoragePolicy struct {
ID string `json:"id"`
Name string `json:"name"`
AllowedSuffix []string `json:"allowed_suffix,omitempty"`
Type types.PolicyType `json:"type"`
MaxSize int64 `json:"max_size"`
Relay bool `json:"relay,omitempty"`
ID string `json:"id"`
Name string `json:"name"`
AllowedSuffix []string `json:"allowed_suffix,omitempty"`
DeniedSuffix []string `json:"denied_suffix,omitempty"`
AllowedNameRegexp string `json:"allowed_name_regexp,omitempty"`
DeniedNameRegexp string `json:"denied_name_regexp,omitempty"`
Type types.PolicyType `json:"type"`
MaxSize int64 `json:"max_size"`
Relay bool `json:"relay,omitempty"`
}
type Entity struct {
@ -442,14 +445,30 @@ func BuildStoragePolicy(sp *ent.StoragePolicy, hasher hashid.Encoder) *StoragePo
if sp == nil {
return nil
}
return &StoragePolicy{
ID: hashid.EncodePolicyID(hasher, sp.ID),
Name: sp.Name,
Type: types.PolicyType(sp.Type),
MaxSize: sp.MaxSize,
AllowedSuffix: sp.Settings.FileType,
Relay: sp.Settings.Relay,
res := &StoragePolicy{
ID: hashid.EncodePolicyID(hasher, sp.ID),
Name: sp.Name,
Type: types.PolicyType(sp.Type),
MaxSize: sp.MaxSize,
Relay: sp.Settings.Relay,
}
if sp.Settings.IsFileTypeDenyList {
res.DeniedSuffix = sp.Settings.FileType
} else {
res.AllowedSuffix = sp.Settings.FileType
}
if sp.Settings.NameRegexp != "" {
if sp.Settings.IsNameRegexpDenyList {
res.DeniedNameRegexp = sp.Settings.NameRegexp
} else {
res.AllowedNameRegexp = sp.Settings.NameRegexp
}
}
return res
}
func WriteEventSourceHeader(c *gin.Context) {