From b9afd0ba509901043d8ba22961a67f6ca80780a7 Mon Sep 17 00:00:00 2001
From: Ramesh Mane <101566080+rameshmane7218@users.noreply.github.com>
Date: Wed, 20 Nov 2024 17:11:14 +0000
Subject: [PATCH] fix(nocodb): validate attachment upload scope

---
 packages/nocodb-sdk/src/lib/globals.ts           |  1 +
 packages/nocodb/src/helpers/catchError.ts        |  8 ++++++++
 .../nocodb/src/services/attachments.service.ts   | 16 ++++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/packages/nocodb-sdk/src/lib/globals.ts b/packages/nocodb-sdk/src/lib/globals.ts
index eac60a9f6c..19551e4d19 100644
--- a/packages/nocodb-sdk/src/lib/globals.ts
+++ b/packages/nocodb-sdk/src/lib/globals.ts
@@ -218,6 +218,7 @@ export enum NcErrorType {
   INTEGRATION_LINKED_WITH_BASES = 'INTEGRATION_LINKED_WITH_BASES',
   FORMULA_ERROR = 'FORMULA_ERROR',
   PERMISSION_DENIED = 'PERMISSION_DENIED',
+  INVALID_ATTACHMENT_UPLOAD_SCOPE = 'INVALID_ATTACHMENT_UPLOAD_SCOPE',
 }
 
 type Roles = OrgUserRoles | ProjectRoles | WorkspaceUserRoles;
diff --git a/packages/nocodb/src/helpers/catchError.ts b/packages/nocodb/src/helpers/catchError.ts
index 09dd16d02f..e2e652969e 100644
--- a/packages/nocodb/src/helpers/catchError.ts
+++ b/packages/nocodb/src/helpers/catchError.ts
@@ -661,6 +661,10 @@ const errorHelpers: {
     message: 'Permission denied',
     code: 403,
   },
+  [NcErrorType.INVALID_ATTACHMENT_UPLOAD_SCOPE]: {
+    message: 'Invalid attachment upload scope',
+    code: 400,
+  },
 };
 
 function generateError(
@@ -1019,4 +1023,8 @@ export class NcError {
       ...(args || {}),
     });
   }
+
+  static invalidAttachmentUploadScope(args?: NcErrorArgs) {
+    throw new NcBaseErrorv2(NcErrorType.INVALID_ATTACHMENT_UPLOAD_SCOPE, args);
+  }
 }
diff --git a/packages/nocodb/src/services/attachments.service.ts b/packages/nocodb/src/services/attachments.service.ts
index ec303366a9..0dfe1db816 100644
--- a/packages/nocodb/src/services/attachments.service.ts
+++ b/packages/nocodb/src/services/attachments.service.ts
@@ -58,6 +58,14 @@ export class AttachmentsService {
     path?: string;
     scope?: PublicAttachmentScope;
   }) {
+    // Validate scope if exist
+    if (
+      param.scope &&
+      !Object.values(PublicAttachmentScope).includes(param.scope)
+    ) {
+      NcError.invalidAttachmentUploadScope();
+    }
+
     const userId = param.req?.user.id || 'anonymous';
 
     param.path = param.scope
@@ -206,6 +214,14 @@ export class AttachmentsService {
     path?: string;
     scope?: PublicAttachmentScope;
   }) {
+    // Validate scope if exist
+    if (
+      param.scope &&
+      !Object.values(PublicAttachmentScope).includes(param.scope)
+    ) {
+      NcError.invalidAttachmentUploadScope();
+    }
+
     const userId = param.req?.user.id || 'anonymous';
 
     param.path = param.scope