fix: detect mime type of uploaded asset (#7648)

(cherry picked from commit 841e79357a)
This commit is contained in:
Livio Spring 2024-03-27 10:41:10 +01:00
parent ad0589d21d
commit 4c2c9c22c4
No known key found for this signature in database
GPG Key ID: 26BB1C2FA5952CF0
3 changed files with 20 additions and 4 deletions

1
go.mod
View File

@ -24,6 +24,7 @@ require (
github.com/drone/envsubst v1.0.3
github.com/envoyproxy/protoc-gen-validate v1.0.4
github.com/fatih/color v1.16.0
github.com/gabriel-vasile/mimetype v1.4.3
github.com/go-jose/go-jose/v3 v3.0.2
github.com/go-ldap/ldap/v3 v3.4.6
github.com/go-webauthn/webauthn v0.10.1

2
go.sum
View File

@ -205,6 +205,8 @@ github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nos
github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
github.com/fxamacker/cbor/v2 v2.6.0 h1:sU6J2usfADwWlYDAFhZBQ6TnLFBHxgesMrQfQgk1tWA=
github.com/fxamacker/cbor/v2 v2.6.0/go.mod h1:pxXPTn3joSm21Gbwsv0w9OSA2y1HFR9qXEeXQVeNoDQ=
github.com/gabriel-vasile/mimetype v1.4.3 h1:in2uUcidCuFcDKtdcBxlR0rJ1+fsokWf+uqxgUFjbI0=
github.com/gabriel-vasile/mimetype v1.4.3/go.mod h1:d8uq/6HKRL6CGdk+aubisF/M5GcPfT7nKyLpA0lbSSk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm+fLHvGI=
github.com/gin-gonic/gin v1.7.4/go.mod h1:jD2toBW3GZUr5UMcdrwQA10I7RuaFOl/SGeDjXkfUtY=

View File

@ -3,11 +3,13 @@ package assets
import (
"context"
"fmt"
"io"
"net/http"
"strconv"
"strings"
"time"
"github.com/gabriel-vasile/mimetype"
"github.com/gorilla/mux"
"github.com/zitadel/logging"
@ -134,10 +136,21 @@ func UploadHandleFunc(s AssetsService, uploader Uploader) func(http.ResponseWrit
err = file.Close()
logging.OnError(err).Warn("could not close file")
}()
contentType := handler.Header.Get("content-type")
mimeType, err := mimetype.DetectReader(file)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
_, err = file.Seek(0, io.SeekStart)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
size := handler.Size
if !uploader.ContentTypeAllowed(contentType) {
s.ErrorHandler()(w, r, fmt.Errorf("invalid content-type: %s", contentType), http.StatusBadRequest)
if !uploader.ContentTypeAllowed(mimeType.String()) {
s.ErrorHandler()(w, r, fmt.Errorf("invalid content-type: %s", mimeType), http.StatusBadRequest)
return
}
if size > uploader.MaxFileSize() {
@ -154,7 +167,7 @@ func UploadHandleFunc(s AssetsService, uploader Uploader) func(http.ResponseWrit
uploadInfo := &command.AssetUpload{
ResourceOwner: resourceOwner,
ObjectName: objectName,
ContentType: contentType,
ContentType: mimeType.String(),
ObjectType: uploader.ObjectType(),
File: file,
Size: size,