Browse Source

fix(nocodb): validate attachment upload scope

pull/9722/head
Ramesh Mane 1 month ago
parent
commit
b9afd0ba50
  1. 1
      packages/nocodb-sdk/src/lib/globals.ts
  2. 8
      packages/nocodb/src/helpers/catchError.ts
  3. 16
      packages/nocodb/src/services/attachments.service.ts

1
packages/nocodb-sdk/src/lib/globals.ts

@ -218,6 +218,7 @@ export enum NcErrorType {
INTEGRATION_LINKED_WITH_BASES = 'INTEGRATION_LINKED_WITH_BASES',
FORMULA_ERROR = 'FORMULA_ERROR',
PERMISSION_DENIED = 'PERMISSION_DENIED',
INVALID_ATTACHMENT_UPLOAD_SCOPE = 'INVALID_ATTACHMENT_UPLOAD_SCOPE',
}
type Roles = OrgUserRoles | ProjectRoles | WorkspaceUserRoles;

8
packages/nocodb/src/helpers/catchError.ts

@ -661,6 +661,10 @@ const errorHelpers: {
message: 'Permission denied',
code: 403,
},
[NcErrorType.INVALID_ATTACHMENT_UPLOAD_SCOPE]: {
message: 'Invalid attachment upload scope',
code: 400,
},
};
function generateError(
@ -1019,4 +1023,8 @@ export class NcError {
...(args || {}),
});
}
static invalidAttachmentUploadScope(args?: NcErrorArgs) {
throw new NcBaseErrorv2(NcErrorType.INVALID_ATTACHMENT_UPLOAD_SCOPE, args);
}
}

16
packages/nocodb/src/services/attachments.service.ts

@ -58,6 +58,14 @@ export class AttachmentsService {
path?: string;
scope?: PublicAttachmentScope;
}) {
// Validate scope if exist
if (
param.scope &&
!Object.values(PublicAttachmentScope).includes(param.scope)
) {
NcError.invalidAttachmentUploadScope();
}
const userId = param.req?.user.id || 'anonymous';
param.path = param.scope
@ -206,6 +214,14 @@ export class AttachmentsService {
path?: string;
scope?: PublicAttachmentScope;
}) {
// Validate scope if exist
if (
param.scope &&
!Object.values(PublicAttachmentScope).includes(param.scope)
) {
NcError.invalidAttachmentUploadScope();
}
const userId = param.req?.user.id || 'anonymous';
param.path = param.scope

Loading…
Cancel
Save