Move filename validation out of the Router and into the FilesAdaptor

Author: Mike Patnode

spec/AdaptableController.spec.js

@@ -64,6 +64,7 @@ describe('AdaptableController', () => {
       deleteFile: function() {},
       getFileData: function() {},
       getFileLocation: function() {},
+      validateFilename: function() {},
     };
     expect(() => {
       new FilesController(adapter);
@@ -77,6 +78,7 @@ describe('AdaptableController', () => {
     AGoodAdapter.prototype.deleteFile = function() {};
     AGoodAdapter.prototype.getFileData = function() {};
     AGoodAdapter.prototype.getFileLocation = function() {};
+    AGoodAdapter.prototype.validateFilename = function() {};
 
     const adapter = new AGoodAdapter();
     expect(() => {

spec/FilesController.spec.js

@@ -14,6 +14,7 @@ const mockAdapter = {
   deleteFile: () => {},
   getFileData: () => {},
   getFileLocation: () => 'xyz',
+  validateFilename: () => {},
 };
 
 // Small additional tests to improve overall coverage
@@ -118,4 +119,13 @@ describe('FilesController', () => {
 
     done();
   });
+
+  it('should reject slashes in file names', done => {
+    const gridStoreAdapter = new GridFSBucketAdapter(
+      'mongodb://localhost:27017/parse'
+    );
+    const fileName = 'foo/randomFileName.pdf';
+    expect(gridStoreAdapter.validateFilename(fileName)).not.toBe(null);
+    done();
+  });
 });

src/Adapters/Files/FilesAdapter.js

@@ -8,12 +8,14 @@
 // * deleteFile(filename)
 // * getFileData(filename)
 // * getFileLocation(config, filename)
+// * validateFilename(filename)
 //
 // Default is GridFSBucketAdapter, which requires mongo
 // and for the API server to be using the DatabaseController with Mongo
 // database adapter.
 
 import type { Config } from '../../Config';
+import Parse from 'parse/lib/node/Parse';
 /**
  * @module Adapters
  */
@@ -56,6 +58,30 @@ export class FilesAdapter {
    * @return {string} Absolute URL
    */
   getFileLocation(config: Config, filename: string): string {}
+
+  /**
+   *
+   * @param {string} filename
+   *
+   * @returns {null|*|Parse.Error} null if there are no errors
+   */
+  validateFilename(filename): ?Parse.Error {}
+}
+
+export function validateFilename(filename): ?Parse.Error {
+  if (filename.length > 128) {
+    return new Parse.Error(Parse.Error.INVALID_FILE_NAME, 'Filename too long.');
+  }
+
+  // US/ASCII centric default
+  const regx = /^[_a-zA-Z0-9][a-zA-Z0-9@. ~_-]*$/;
+  if (!filename.match(regx)) {
+    return new Parse.Error(
+      Parse.Error.INVALID_FILE_NAME,
+      'Filename contains invalid characters.'
+    );
+  }
+  return null; // No errors
 }
 
 export default FilesAdapter;

src/Adapters/Files/GridFSBucketAdapter.js

@@ -8,7 +8,7 @@
 
 // @flow-disable-next
 import { MongoClient, GridFSBucket, Db } from 'mongodb';
-import { FilesAdapter } from './FilesAdapter';
+import { FilesAdapter, validateFilename } from './FilesAdapter';
 import defaults from '../../defaults';
 
 export class GridFSBucketAdapter extends FilesAdapter {
@@ -139,6 +139,10 @@ export class GridFSBucketAdapter extends FilesAdapter {
     }
     return this._client.close(false);
   }
+
+  validateFilename(filename) {
+    return validateFilename(filename);
+  }
 }
 
 export default GridFSBucketAdapter;

src/Adapters/Files/GridStoreAdapter.js

@@ -9,7 +9,7 @@
 
 // @flow-disable-next
 import { MongoClient, GridStore, Db } from 'mongodb';
-import { FilesAdapter } from './FilesAdapter';
+import { FilesAdapter, validateFilename } from './FilesAdapter';
 import defaults from '../../defaults';
 
 export class GridStoreAdapter extends FilesAdapter {
@@ -110,6 +110,10 @@ export class GridStoreAdapter extends FilesAdapter {
     }
     return this._client.close(false);
   }
+
+  validateFilename(filename) {
+    return validateFilename(filename);
+  }
 }
 
 // handleRangeRequest is licensed under Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/).

src/Routers/FilesRouter.js

@@ -5,6 +5,7 @@ import Parse from 'parse/node';
 import Config from '../Config';
 import mime from 'mime';
 import logger from '../logger';
+import validateFilename from '../Adapters/Files/FilesAdapter';
 
 export class FilesRouter {
   expressRouter({ maxUploadSize = '20Mb' } = {}) {
@@ -69,35 +70,30 @@ export class FilesRouter {
   }
 
   createHandler(req, res, next) {
+    const config = req.config;
+    const filesController = config.filesController;
+    const filename = req.params.filename;
+    const contentType = req.get('Content-type');
+
     if (!req.body || !req.body.length) {
       next(
         new Parse.Error(Parse.Error.FILE_SAVE_ERROR, 'Invalid file upload.')
       );
       return;
     }
 
-    if (req.params.filename.length > 128) {
-      next(
-        new Parse.Error(Parse.Error.INVALID_FILE_NAME, 'Filename too long.')
-      );
-      return;
+    var error;
+    if (typeof filesController.adapter.validateFilename === 'function') {
+      error = filesController.adapter.validateFilename(filename);
+    } else {
+      error = validateFilename(filename);
     }
 
-    if (!req.params.filename.match(/^[_a-zA-Z0-9][a-zA-Z0-9@\.\ ~_-]*$/)) {
-      next(
-        new Parse.Error(
-          Parse.Error.INVALID_FILE_NAME,
-          'Filename contains invalid characters.'
-        )
-      );
+    if (error) {
+      next(error);
       return;
     }
 
-    const filename = req.params.filename;
-    const contentType = req.get('Content-type');
-    const config = req.config;
-    const filesController = config.filesController;
-
     filesController
       .createFile(config, filename, req.body, contentType)
       .then(result => {