Add url validation

apps/app/src/client/services/AdminAttachmentContainer.js

@@ -1,70 +0,0 @@
-import { isServer } from '@growi/core/dist/utils';
-import { Container } from 'unstated';
-
-import { apiv3Get, apiv3Put } from '../util/apiv3-client';
-
-export default class AdminAttachmentContainer extends Container {
-
-  constructor(appContainer) {
-    super();
-
-    if (isServer()) {
-      return;
-    }
-
-    this.appContainer = appContainer;
-
-
-    this.state = {
-      imagepng: true,
-      imagejpeg: true,
-      imagegif: true,
-      imagewebp: true,
-      imagebmp: true,
-      imagexicon: true,
-      applicationpdf: true,
-      videomp4: true,
-      audiompeg: true,
-      textplain: true,
-    };
-  }
-
-  async retrieveContentTypeSettings() {
-    const response = await apiv3Get('/content-type-settings/');
-    const { contentTypes } = response.data.contentTypes;
-
-    this.setState({
-      imagepng: contentTypes.imagepng,
-      imagejpeg: contentTypes.imagejpeg,
-      imagegif: contentTypes.imagegif,
-      imagewebp: contentTypes.imagewebp,
-      imagebmp: contentTypes.imagebmp,
-      imagexicon: contentTypes.imagexicon,
-      applicationpdf: contentTypes.applicationpdf,
-      videomp4: contentTypes.videomp4,
-      audiompeg: contentTypes.audiompeg,
-      textplain: contentTypes.textplain,
-    });
-  }
-
-  async setStrictContentDispositionSettings() {
-
-    await apiv3Put('/content-disposition-settings', {
-    });
-  }
-
-
-  async setModerateContentDispositionSettings() {
-
-    await apiv3Put('/content-disposition-settings', {
-    });
-  }
-
-
-  async setLaxContentDispositionSettings() {
-
-    await apiv3Put('/content-disposition-settings', {
-    });
-  }
-
-}

apps/app/src/interfaces/activity.ts

@@ -78,6 +78,7 @@ const ACTION_ADMIN_MAIL_SMTP_UPDATE = 'ADMIN_MAIL_SMTP_UPDATE';
 const ACTION_ADMIN_MAIL_SES_UPDATE = 'ADMIN_MAIL_SES_UPDATE';
 const ACTION_ADMIN_MAIL_TEST_SUBMIT = 'ADMIN_MAIL_TEST_SUBMIT';
 const ACTION_ADMIN_FILE_UPLOAD_CONFIG_UPDATE = 'ADMIN_FILE_UPLOAD_CONFIG_UPDATE';
+const ACTION_ADMIN_ATTACHMENT_DISPOSITION_UPDATE = 'ADMIN_ATTACHMENT_DISPOSITION_UPDATE';
 const ACTION_ADMIN_QUESTIONNAIRE_SETTINGS_UPDATE = 'ACTION_ADMIN_QUESTIONNAIRE_SETTINGS_UPDATE';
 const ACTION_ADMIN_PAGE_BULK_EXPORT_SETTINGS_UPDATE = 'ADMIN_PAGE_BULK_EXPORT_SETTINGS_UPDATE';
 const ACTION_ADMIN_MAINTENANCEMODE_ENABLED = 'ADMIN_MAINTENANCEMODE_ENABLED';
@@ -454,6 +455,7 @@ export const LargeActionGroup = {
   ACTION_ADMIN_MAIL_SES_UPDATE,
   ACTION_ADMIN_MAIL_TEST_SUBMIT,
   ACTION_ADMIN_FILE_UPLOAD_CONFIG_UPDATE,
+  ACTION_ADMIN_ATTACHMENT_DISPOSITION_UPDATE,
   ACTION_ADMIN_QUESTIONNAIRE_SETTINGS_UPDATE,
   ACTION_ADMIN_PAGE_BULK_EXPORT_SETTINGS_UPDATE,
   ACTION_ADMIN_MAINTENANCEMODE_ENABLED,

apps/app/src/server/routes/apiv3/content-disposition-settings.js

@@ -1,4 +1,5 @@
 import { ErrorV3 } from '@growi/core/dist/models';
+import { body, param } from 'express-validator';
 
 import { SupportedAction } from '~/interfaces/activity';
 import { configManager } from '~/server/service/config-manager';
@@ -14,6 +15,20 @@ const express = require('express');
 
 const router = express.Router();
 
+const validator = {
+  updateContentDisposition: [
+    param('mimeType').exists().notEmpty().withMessage('MIME type is required')
+      .bail()
+      .matches(/^.+\/.+$/)
+      .custom(value => CONFIGURABLE_MIME_TYPES_FOR_DISPOSITION.includes(value))
+      .withMessage('Invalid or unconfigurable MIME type specified.'),
+
+    body('isInline')
+      .isBoolean().withMessage('`isInline` must be a boolean.')
+      .toBoolean(),
+  ],
+};
+
 module.exports = (crowi) => {
   const loginRequiredStrictly = require('../../middlewares/login-required')(crowi);
   const adminRequired = require('../../middlewares/admin-required')(crowi);
@@ -45,13 +60,12 @@ module.exports = (crowi) => {
     return res.apiv3({ contentDispositionSettings });
   });
 
-  // sets any specified mime type
-  // needs body { isInline: boolean }
-  router.put('/:mimeType',
+
+  router.put('/:mimeType(*)',
     loginRequiredStrictly,
     adminRequired,
     addActivity,
-    // validator.updateContentDisposition, // Validate path and body
+    validator.updateContentDisposition, // Validate path and body
     apiV3FormValidator,
     async(req, res) => {
       const { mimeType } = req.params; // Get mimeType from URL path
@@ -77,7 +91,7 @@ module.exports = (crowi) => {
         // Return success response
         return res.apiv3({ mimeType, isInline: updatedIsInline });
       }
-      // Moved catch to new line for brace-style
+
       catch (err) {
         const msg = `Error occurred in updating content disposition for MIME type: ${mimeType}`;
         logger.error(msg, err);
@@ -85,8 +99,5 @@ module.exports = (crowi) => {
       }
     });
 
-  // add function for setting predetermined allowed mime types in lists
-  // Recommended, Strict, Moderately strict, Lax, etc
-
   return router;
 };