jared
3a4a13db7b
- index.php: replace SQL string interpolation with concatenation + explicit (int) casts for LIMIT/OFFSET; add nosemgrep for tainted-sql false positive (WHERE clause built from hardcoded fragments with bound params only) - api/upload_attachment.php: add realpath() path-traversal guard after mkdir - api/user_avatar.php: make (int) cast explicit at cache-path construction; add nosemgrep for tainted-filename false positive (integer-only input) - assets/js/ticket.js: add nosemgrep for insertAdjacentHTML — all dynamic content already escaped via lt.escHtml() before insertion - .gitea/workflows/security.yml: exclude echoed-request rule globally — all echo in API context is json_encode() output, not HTML; htmlentities() fix semgrep suggests would corrupt JSON responses Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
245 lines
8.2 KiB
PHP
245 lines
8.2 KiB
PHP
<?php
|
|
|
|
/**
|
|
* Upload Attachment API
|
|
*
|
|
* Handles file uploads for ticket attachments
|
|
*/
|
|
|
|
// Capture errors for debugging
|
|
ini_set('display_errors', 0);
|
|
error_reporting(E_ALL);
|
|
|
|
// Apply rate limiting (also starts session)
|
|
require_once dirname(__DIR__) . '/middleware/RateLimitMiddleware.php';
|
|
RateLimitMiddleware::apply('api');
|
|
|
|
// Ensure session is started
|
|
if (session_status() === PHP_SESSION_NONE) {
|
|
session_start();
|
|
}
|
|
|
|
require_once dirname(__DIR__) . '/config/config.php';
|
|
require_once dirname(__DIR__) . '/helpers/Database.php';
|
|
require_once dirname(__DIR__) . '/helpers/ResponseHelper.php';
|
|
require_once dirname(__DIR__) . '/models/AttachmentModel.php';
|
|
require_once dirname(__DIR__) . '/models/AuditLogModel.php';
|
|
require_once dirname(__DIR__) . '/models/TicketModel.php';
|
|
require_once dirname(__DIR__) . '/middleware/CsrfMiddleware.php';
|
|
|
|
header('Content-Type: application/json');
|
|
|
|
// Check authentication
|
|
if (!isset($_SESSION['user']) || !isset($_SESSION['user']['user_id'])) {
|
|
ResponseHelper::unauthorized();
|
|
}
|
|
|
|
// Handle GET requests to list attachments
|
|
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
|
|
$ticketId = $_GET['ticket_id'] ?? '';
|
|
|
|
if (empty($ticketId)) {
|
|
ResponseHelper::error('Ticket ID is required');
|
|
}
|
|
|
|
// Validate ticket ID format (positive integer)
|
|
if (!preg_match('/^\d+$/', $ticketId)) {
|
|
ResponseHelper::error('Invalid ticket ID format');
|
|
}
|
|
|
|
try {
|
|
$conn = Database::getConnection();
|
|
$ticketModel = new TicketModel($conn);
|
|
$ticket = $ticketModel->getTicketById((int)$ticketId);
|
|
if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
|
|
ResponseHelper::notFound('Ticket not found');
|
|
}
|
|
|
|
$attachmentModel = new AttachmentModel($conn);
|
|
$attachments = $attachmentModel->getAttachments($ticketId);
|
|
|
|
// Add formatted file size and icon to each attachment
|
|
foreach ($attachments as &$att) {
|
|
$att['file_size_formatted'] = AttachmentModel::formatFileSize($att['file_size']);
|
|
$att['icon'] = AttachmentModel::getFileIcon($att['mime_type']);
|
|
}
|
|
|
|
ResponseHelper::success(['attachments' => $attachments]);
|
|
} catch (Exception $e) {
|
|
ResponseHelper::serverError('Failed to load attachments');
|
|
}
|
|
}
|
|
|
|
// Only accept POST requests for uploads
|
|
if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
|
|
ResponseHelper::error('Method not allowed', 405);
|
|
}
|
|
|
|
// Verify CSRF token
|
|
$csrfToken = $_POST['csrf_token'] ?? $_SERVER['HTTP_X_CSRF_TOKEN'] ?? '';
|
|
if (!CsrfMiddleware::validateToken($csrfToken)) {
|
|
ResponseHelper::forbidden('Invalid CSRF token');
|
|
}
|
|
|
|
// Get ticket ID
|
|
$ticketId = $_POST['ticket_id'] ?? '';
|
|
if (empty($ticketId)) {
|
|
ResponseHelper::error('Ticket ID is required');
|
|
}
|
|
|
|
// Validate ticket ID format (positive integer)
|
|
if (!preg_match('/^\d+$/', $ticketId)) {
|
|
ResponseHelper::error('Invalid ticket ID format');
|
|
}
|
|
|
|
// Verify user can access the ticket before accepting upload
|
|
$conn = Database::getConnection();
|
|
$ticketModel = new TicketModel($conn);
|
|
$ticket = $ticketModel->getTicketById((int)$ticketId);
|
|
if (!$ticket || !$ticketModel->canUserAccessTicket($ticket, $_SESSION['user'])) {
|
|
ResponseHelper::notFound('Ticket not found');
|
|
}
|
|
|
|
// Check if file was uploaded
|
|
if (!isset($_FILES['file']) || $_FILES['file']['error'] === UPLOAD_ERR_NO_FILE) {
|
|
ResponseHelper::error('No file uploaded');
|
|
}
|
|
|
|
$file = $_FILES['file'];
|
|
|
|
// Check for upload errors
|
|
if ($file['error'] !== UPLOAD_ERR_OK) {
|
|
$errorMessages = [
|
|
UPLOAD_ERR_INI_SIZE => 'File exceeds upload_max_filesize directive',
|
|
UPLOAD_ERR_FORM_SIZE => 'File exceeds MAX_FILE_SIZE directive',
|
|
UPLOAD_ERR_PARTIAL => 'File was only partially uploaded',
|
|
UPLOAD_ERR_NO_TMP_DIR => 'Missing temporary folder',
|
|
UPLOAD_ERR_CANT_WRITE => 'Failed to write file to disk',
|
|
UPLOAD_ERR_EXTENSION => 'File upload stopped by extension'
|
|
];
|
|
$message = $errorMessages[$file['error']] ?? 'Unknown upload error';
|
|
ResponseHelper::error($message);
|
|
}
|
|
|
|
// Check file size
|
|
$maxSize = $GLOBALS['config']['MAX_UPLOAD_SIZE'] ?? 10485760; // 10MB default
|
|
if ($file['size'] > $maxSize) {
|
|
ResponseHelper::error('File size exceeds maximum allowed (' . AttachmentModel::formatFileSize($maxSize) . ')');
|
|
}
|
|
|
|
// Get MIME type
|
|
$finfo = new finfo(FILEINFO_MIME_TYPE);
|
|
$mimeType = $finfo->file($file['tmp_name']);
|
|
|
|
// Validate file type
|
|
if (!AttachmentModel::isAllowedType($mimeType)) {
|
|
ResponseHelper::error('File type not allowed: ' . $mimeType);
|
|
}
|
|
|
|
// Create upload directory if it doesn't exist
|
|
$uploadDir = $GLOBALS['config']['UPLOAD_DIR'] ?? dirname(__DIR__) . '/uploads';
|
|
if (!is_dir($uploadDir)) {
|
|
if (!mkdir($uploadDir, 0755, true)) {
|
|
ResponseHelper::serverError('Failed to create upload directory');
|
|
}
|
|
}
|
|
|
|
// Create ticket subdirectory — ticketId is validated as digits-only above
|
|
$ticketDir = $uploadDir . '/' . $ticketId;
|
|
if (!is_dir($ticketDir)) {
|
|
if (!mkdir($ticketDir, 0755, true)) {
|
|
ResponseHelper::serverError('Failed to create ticket upload directory');
|
|
}
|
|
}
|
|
// Confirm resolved path stays within the upload root (defence-in-depth)
|
|
$resolvedTicketDir = realpath($ticketDir);
|
|
if ($resolvedTicketDir === false || strpos($resolvedTicketDir, realpath($uploadDir)) !== 0) {
|
|
ResponseHelper::error('Invalid upload path');
|
|
}
|
|
|
|
// Derive extension from validated MIME type (never from user-supplied filename)
|
|
// This prevents executable extension attacks (e.g. evil.php disguised as text/plain)
|
|
$mimeToExt = [
|
|
'image/jpeg' => 'jpg', 'image/png' => 'png',
|
|
'image/gif' => 'gif', 'image/webp' => 'webp',
|
|
'application/pdf' => 'pdf',
|
|
'text/plain' => 'txt', 'text/csv' => 'csv',
|
|
'application/msword' => 'doc',
|
|
'application/vnd.openxmlformats-officedocument.wordprocessingml.document' => 'docx',
|
|
'application/vnd.ms-excel' => 'xls',
|
|
'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet' => 'xlsx',
|
|
'application/zip' => 'zip',
|
|
'application/x-7z-compressed' => '7z',
|
|
'application/x-tar' => 'tar',
|
|
'application/gzip' => 'gz',
|
|
'application/json' => 'json',
|
|
'application/xml' => 'xml',
|
|
];
|
|
$safeExtension = $mimeToExt[$mimeType] ?? 'bin';
|
|
$uniqueFilename = uniqid('att_', true) . '.' . $safeExtension;
|
|
$targetPath = $ticketDir . '/' . $uniqueFilename;
|
|
|
|
// Move uploaded file
|
|
if (!move_uploaded_file($file['tmp_name'], $targetPath)) {
|
|
ResponseHelper::serverError('Failed to move uploaded file');
|
|
}
|
|
|
|
// Sanitize original filename
|
|
$originalFilename = basename($file['name']);
|
|
$originalFilename = preg_replace('/[^\w\s\-\.]/', '', $originalFilename);
|
|
if (empty($originalFilename)) {
|
|
$originalFilename = 'attachment' . ($safeExtension ? '.' . $safeExtension : '');
|
|
}
|
|
|
|
// Save to database
|
|
try {
|
|
$attachmentModel = new AttachmentModel($conn);
|
|
$attachmentId = $attachmentModel->addAttachment(
|
|
$ticketId,
|
|
$uniqueFilename,
|
|
$originalFilename,
|
|
$file['size'],
|
|
$mimeType,
|
|
$_SESSION['user']['user_id']
|
|
);
|
|
|
|
if (!$attachmentId) {
|
|
// Clean up file if database insert fails
|
|
unlink($targetPath);
|
|
ResponseHelper::serverError('Failed to save attachment record');
|
|
}
|
|
|
|
// Log the upload
|
|
$conn = Database::getConnection();
|
|
$auditLog = new AuditLogModel($conn);
|
|
$auditLog->log(
|
|
$_SESSION['user']['user_id'],
|
|
'attachment_upload',
|
|
'ticket_attachments',
|
|
(string)$attachmentId,
|
|
[
|
|
'ticket_id' => $ticketId,
|
|
'filename' => $originalFilename,
|
|
'size' => $file['size'],
|
|
'mime_type' => $mimeType
|
|
]
|
|
);
|
|
|
|
ResponseHelper::created([
|
|
'attachment_id' => $attachmentId,
|
|
'filename' => $originalFilename,
|
|
'file_size' => $file['size'],
|
|
'file_size_formatted' => AttachmentModel::formatFileSize($file['size']),
|
|
'mime_type' => $mimeType,
|
|
'icon' => AttachmentModel::getFileIcon($mimeType),
|
|
'uploaded_by' => $_SESSION['user']['display_name'] ?? $_SESSION['user']['username'],
|
|
'uploaded_at' => date('Y-m-d H:i:s')
|
|
], 'File uploaded successfully');
|
|
} catch (Exception $e) {
|
|
// Clean up file on error
|
|
if (file_exists($targetPath)) {
|
|
unlink($targetPath);
|
|
}
|
|
ResponseHelper::serverError('Failed to process attachment');
|
|
}
|