Merge pull request from GHSA-8q89-mqw7-9pp7

Additional File Verification
dnnsoftware · Jan 9, 2024 · a5c13c3 · a5c13c3
2 parents 81a80c2 + ed9bf54
commit a5c13c3
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 2 deletions.
diff --git a/DNN Platform/Library/Services/FileSystem/FileManager.cs b/DNN Platform/Library/Services/FileSystem/FileManager.cs
@@ -211,7 +211,7 @@ public virtual IFileInfo AddFile(IFolderInfo folder, string fileName, Stream fil
                         usingSeekableStream = true;
                     }
 
-                    this.CheckFileWritingRestrictions(folder, fileName, fileContent, oldFile, createdByUserID);
+                    this.CheckFileWritingRestrictions(folder, fileName, fileContent, oldFile, createdByUserID, ignoreWhiteList);
 
                     // Retrieve Metadata
                     this.SetInitialFileMetadata(ref fileContent, file, folderProvider);
@@ -1823,7 +1823,7 @@ private void SetImageProperties(IFileInfo file, Stream fileContent)
             }
         }
 
-        private void CheckFileWritingRestrictions(IFolderInfo folder, string fileName, Stream fileContent, IFileInfo oldFile, int createdByUserId)
+        private void CheckFileWritingRestrictions(IFolderInfo folder, string fileName, Stream fileContent, IFileInfo oldFile, int createdByUserId, bool ignoreWhiteList)
         {
             if (!PortalController.Instance.HasSpaceAvailable(folder.PortalID, fileContent.Length))
             {
@@ -1848,6 +1848,14 @@ private void CheckFileWritingRestrictions(IFolderInfo folder, string fileName, S
                 var errorMessage = Localization.GetExceptionMessage("AddFileInvalidContent", defaultMessage);
                 throw new InvalidFileContentException(string.Format(errorMessage, fileName));
             }
+
+            var checkWhiteList = !(UserController.Instance.GetCurrentUserInfo().IsSuperUser && ignoreWhiteList);
+            if (checkWhiteList && !this.WhiteList.IsAllowedExtension(".exe") && !FileSecurityController.Instance.ValidateNotExectuable(fileContent))
+            {
+                var defaultMessage = "The content of '{0}' is not valid. The file has not been added.";
+                var errorMessage = Localization.GetExceptionMessage("AddFileInvalidContent", defaultMessage);
+                throw new InvalidFileContentException(string.Format(errorMessage, fileName));
+            }
         }
 
         private void ManageFileAdding(int createdByUserID, Workflow folderWorkflow, bool fileExists, FileInfo file)

diff --git a/DNN Platform/Library/Services/FileSystem/Internal/FileSecurityController.cs b/DNN Platform/Library/Services/FileSystem/Internal/FileSecurityController.cs
@@ -41,6 +41,19 @@ public bool Validate(string fileName, Stream fileContent)
             }
         }
 
+        /// <inheritdoc/>
+        public bool ValidateNotExectuable(Stream fileContent)
+        {
+            Requires.NotNull("fileContent", fileContent);
+
+            var firstBytes = new byte[2];
+            int bytesRead = fileContent.Read(firstBytes, 0, 2);
+            fileContent.Position = 0;
+
+            // Windows exectuable files start with 0x4D 0x5A
+            return bytesRead < 2 || firstBytes[0] != 0x4D || firstBytes[1] != 0x5A;
+        }
+
         /// <inheritdoc/>
         protected override Func<IFileSecurityController> GetFactory()
         {

diff --git a/DNN Platform/Library/Services/FileSystem/Internal/IFileSecurityController.cs b/DNN Platform/Library/Services/FileSystem/Internal/IFileSecurityController.cs
@@ -13,5 +13,12 @@ public interface IFileSecurityController
         /// <param name="fileContent">The File Content.</param>
         /// <returns><see langword="true"/> if the file has valid content, otherwise <see langword="false"/>.</returns>
         bool Validate(string fileName, Stream fileContent);
+
+        /// <summary>
+        /// Checks the file content isn't an exectuable file.
+        /// </summary>
+        /// <param name="fileContent">The File Content.</param>
+        /// <returns>Whether the file is an exectuable file.</returns>
+        bool ValidateNotExectuable(Stream fileContent);
     }
 }
diff --git a/DNN Platform/Tests/DotNetNuke.Tests.Core/Providers/Folder/FileManagerTests.cs b/DNN Platform/Tests/DotNetNuke.Tests.Core/Providers/Folder/FileManagerTests.cs
@@ -200,6 +200,8 @@ public void AddFile_Checks_Space_For_Stream_Length()
 
             var fileContent = new MemoryStream(Encoding.ASCII.GetBytes("some data here"));
 
+            this.hostController.Setup(c => c.GetString("FileExtensions")).Returns("");
+
             this.portalController.Setup(pc => pc.HasSpaceAvailable(It.IsAny<int>(), It.IsAny<long>())).Returns(true);
 
             this.globals.Setup(g => g.GetSubFolderPath(Constants.FOLDER_ValidFilePath, Constants.CONTENT_ValidPortalId)).Returns(Constants.FOLDER_ValidFolderRelativePath);
@@ -267,6 +269,7 @@ public void AddFile_No_Error_When_File_Content_Is_Valid()
                 this.portalController.Setup(pc => pc.HasSpaceAvailable(Constants.CONTENT_ValidPortalId, fileContent.Length)).Returns(true);
                 this.mockFileManager.Setup(mfm => mfm.IsAllowedExtension(Constants.FOLDER_ValidSvgFileName)).Returns(true);
                 this.mockFileManager.Setup(mfm => mfm.IsImageFile(It.IsAny<IFileInfo>())).Returns(false);
+                this.hostController.Setup(c => c.GetString("FileExtensions")).Returns("");
 
                 this.mockFileManager.Object.AddFile(this.folderInfo.Object, Constants.FOLDER_ValidSvgFileName, fileContent, false, false, Constants.CONTENTTYPE_ValidContentType);
             }