upload file type validation

Author: skydiver

classes/FilePond/FilePondController.php

@@ -2,13 +2,15 @@
 
 namespace Martin\Forms\Classes\FilePond;
 
-use Illuminate\Routing\Controller as BaseController;
+use Validator;
 use Illuminate\Http\Request;
+use Martin\Forms\Models\Settings;
 use Illuminate\Support\Facades\Response;
+use October\Rain\Filesystem\Definitions;
+use Illuminate\Routing\Controller as BaseController;
 
 class FilePondController extends BaseController
 {
-
     /**
      * @var Filepond
      */
@@ -33,10 +35,17 @@ public function __construct(FilePond $filepond)
      */
     public function upload(Request $request): \Illuminate\Http\Response
     {
-        $field = $request->headers->get('FILEPOND-FIELD');
+        $field = $this->getUploadFieldName();
         $input = $request->file($field);
         $this->file = is_array($input) ? $input[0] : $input;
 
+        /** VALIDATE UPLOAD FILE TYPE */
+        if ($this->checkInvalidFile()) {
+            return Response::make('File type not allowed', 422, [
+                'Content-Type' => 'text/plain',
+            ]);
+        }
+
         if ($input === null) {
             return Response::make($field . ' is required', 422, [
                 'Content-Type' => 'text/plain',
@@ -79,6 +88,16 @@ public function delete(Request $request): \Illuminate\Http\Response
         ]);
     }
 
+    /**
+     * Get field name used for uploads
+     *
+     * @return string
+     */
+    private function getUploadFieldName(): string
+    {
+        return request()->headers->get('FILEPOND-FIELD');
+    }
+
     /**
      * Generate unique temporary filename
      *
@@ -93,4 +112,39 @@ private function generateTempFilename(): string
             $this->file->getClientOriginalName()
         ]);
     }
+
+    /**
+     * Check if uploaded file is a valid mime type
+     *
+     * @return boolean
+     */
+    private function checkInvalidFile(): bool
+    {
+        $field = $this->getUploadFieldName();
+        $types = $this->allowedFileTypes();
+
+        $validator = Validator::make(request()->all(), [
+            $field . '.*' => 'mimes:' . $types,
+        ]);
+
+        return $validator->fails();
+    }
+
+    /**
+     * Get a list of allowed files types
+     *
+     * @return string
+     */
+    private function allowedFileTypes(): string
+    {
+        $settings = Settings::get('global_allowed_files', false);
+
+        if ($settings) {
+            return $settings;
+        }
+
+        $default = Definitions::get('defaultExtensions');
+
+        return implode(',', $default);
+    }
 }

models/settings/fields.yaml

@@ -6,13 +6,33 @@ tabs:
             path   : $/martin/forms/models/settings/_plugin_help.htm
             tab    : martin.forms::lang.settings.tabs.general
 
+        section_ui:
+            label   : UI
+            type    : section
+            comment : Settings related to plugin user inferface
+            tab     : martin.forms::lang.settings.tabs.general
+            cssClass: m-t
+
         global_hide_button:
             label  : martin.forms::lang.settings.global_hide_button
             comment: martin.forms::lang.settings.global_hide_button_desc
             type   : switch
             default: false
             tab    : martin.forms::lang.settings.tabs.general
 
+        section_uploads:
+            label   : File uploads
+            type    : section
+            comment : Settings related to file uploads through components
+            tab     : martin.forms::lang.settings.tabs.general
+            cssClass: m-t-lg
+
+        global_allowed_files:
+            label       : Allowed file formats
+            type        : text
+            default     : jpg,jpeg,bmp,png,webp,gif,js,ico,css,ics,odt,doc,docx,ppt,pptx,pdf,txt,xml,ods,xls,xlsx,ttf,flv,wmv,mp3,ogg,wav,avi,mov,mp4,mpeg,webm,mkv,rar,xml,zip
+            tab         : martin.forms::lang.settings.tabs.general
+
         recaptcha_help:
             type   : partial
             path   : $/martin/forms/models/settings/_recaptcha_help.htm