Unrestricted php file upload fix (#681)

https://huntr.dev/bounties/d7453360-baca-4e56-985f-481275fa38db/
2025-10-30 21:21:09 -04:00 · 2021-12-29 13:33:20 +01:00
parent c9d0a63854
commit cdc913d16c
7 changed files with 176 additions and 8 deletions
--- a/app/Http/Controllers/V1/Admin/Expense/ExpensesController.php
+++ b/app/Http/Controllers/V1/Admin/Expense/ExpensesController.php
@ -39,7 +39,7 @@ class ExpensesController extends Controller
    /**
     * Store a newly created resource in storage.
     *
-     * @param  \Illuminate\Http\Request $request
+     * @param  \Crater\Http\Requests\ExpenseRequest $request
     * @return \Illuminate\Http\JsonResponse
     */
    public function store(ExpenseRequest $request)
@ -67,7 +67,7 @@ class ExpensesController extends Controller
    /**
     * Update the specified resource in storage.
     *
-     * @param  \Illuminate\Http\Request $request
+     * @param  \Crater\Http\Requests\ExpenseRequest $request
     * @param  \Crater\Models\Expense $expense
     * @return \Illuminate\Http\JsonResponse
     */
--- a/app/Http/Controllers/V1/Admin/Expense/UploadReceiptController.php
+++ b/app/Http/Controllers/V1/Admin/Expense/UploadReceiptController.php
@ -5,17 +5,18 @@ namespace Crater\Http\Controllers\V1\Admin\Expense;
 use Crater\Http\Controllers\Controller;
 use Crater\Models\Expense;
 use Illuminate\Http\Request;
+use Crater\Http\Requests\ExpenseRequest;

 class UploadReceiptController extends Controller
 {
    /**
     * Upload the expense receipts to storage.
     *
-     * @param  \Illuminate\Http\Request $request
+     * @param  \Crater\Http\Requests\ExpenseRequest $request
     * @param  Expense $expense
     * @return \Illuminate\Http\JsonResponse
     */
-    public function __invoke(Request $request, Expense $expense)
+    public function __invoke(ExpenseRequest $request, Expense $expense)
    {
        $this->authorize('update', $expense);

--- a/app/Http/Controllers/V1/Admin/Settings/CompanyController.php
+++ b/app/Http/Controllers/V1/Admin/Settings/CompanyController.php
@ -9,6 +9,8 @@ use Crater\Http\Resources\CompanyResource;
 use Crater\Http\Resources\UserResource;
 use Crater\Models\Company;
 use Illuminate\Http\Request;
+use Crater\Http\Requests\AvatarRequest;
+use Crater\Http\Requests\CompanyLogoRequest;

 class CompanyController extends Controller
 {
@ -58,10 +60,10 @@ class CompanyController extends Controller
    /**
     * Upload the company logo to storage.
     *
-     * @param  \Illuminate\Http\Request $request
+     * @param  \Crater\Http\Requests\CompanyLogoRequest $request
     * @return \Illuminate\Http\JsonResponse
     */
-    public function uploadCompanyLogo(Request $request)
+    public function uploadCompanyLogo(CompanyLogoRequest $request)
    {
        $company = Company::find($request->header('company'));

@ -89,10 +91,10 @@ class CompanyController extends Controller
    /**
     * Upload the Admin Avatar to public storage.
     *
-     * @param  \Illuminate\Http\Request $request
+     * @param  \Crater\Http\Requests\AvatarRequest $request
     * @return \Illuminate\Http\JsonResponse
     */
-    public function uploadAvatar(Request $request)
+    public function uploadAvatar(AvatarRequest $request)
    {
        $user = auth()->user();

--- a/app/Http/Requests/AvatarRequest.php
+++ b/app/Http/Requests/AvatarRequest.php
@ -0,0 +1,40 @@
+<?php
+
+namespace Crater\Http\Requests;
+
+use Crater\Rules\Base64Mime;
+use Illuminate\Foundation\Http\FormRequest;
+
+class AvatarRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'admin_avatar' => [
+                'nullable',
+                'file',
+                'mimes:gif,jpg,png',
+                'max:20000'
+            ],
+            'avatar' => [
+                'nullable',
+                new Base64Mime(['gif', 'jpg', 'png'])
+            ]
+        ];
+    }
+}
--- a/app/Http/Requests/CompanyLogoRequest.php
+++ b/app/Http/Requests/CompanyLogoRequest.php
@ -0,0 +1,34 @@
+<?php
+
+namespace Crater\Http\Requests;
+
+use Crater\Rules\Base64Mime;
+use Illuminate\Foundation\Http\FormRequest;
+
+class CompanyLogoRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'company_logo' => [
+                'nullable',
+                new Base64Mime(['gif', 'jpg', 'png'])
+            ]
+        ];
+    }
+}
--- a/app/Http/Requests/ExpenseRequest.php
+++ b/app/Http/Requests/ExpenseRequest.php
@ -51,6 +51,12 @@ class ExpenseRequest extends FormRequest
            'currency_id' => [
                'required'
            ],
+            'attachment_receipt' => [
+                'nullable',
+                'file',
+                'mimes:jpg,png,pdf,doc,docx,xls,xlsx,ppt,pptx',
+                'max:20000'
+            ]
        ];

        if ($companyCurrency && $this->currency_id) {