Mimetype Attachment Restrictions

Last modified by Vincent Massol on 2024/02/26 17:53

 XWiki
 Design
 Active
 

Description

It is currently possible to restrict the size of attachments in a Space. It is interesting to be able to also restrict attachments according to their mimetype in a Space.

Requirements

  • UC1: Users should be restricted to upload attachments according to their mimetype
  • UC2: Admins should be able to configure the allow/block lists at any level
  • UC3: Admins should be able to configure at least the root allow/block lists from an Administration UI

Limitations

  • The control is no part of the attachments API, but is at the user level. Consequently, extensions are not impacted and are allowed to make define their own restrictions
  • Mimetypes are inferred (either client side by the browser, of client side using third-party such as Tika) and can be tricked. This feature must be seen as a way to guide users to use some types of documents but is not a security feature

Other goal

  • Currently, error messages for file size restriction are not uniform and can be very generic. The goal is to have localized and accurate message everywhere a file restriction applies.

Impacts

WIP

  • REST API: AttachmentResource#putAttachment and AttachmentsResource#addAttachment
  • attachment pane
  • xar import in the admin
  • other places in the admin?

Note that currently, no file size check is done using the rest API.

Implementation

xwiki.properties

attachment.mimetype.allowlist=
attachment.mimetype.blocklist=

XClass

Attachment.Code.AttachmentMimetypeRestrictionClass

Two text fields:

  • allowedMimetypes
  • blockedMimetypes

Initialized using a mandatory document initializer in xwiki-platform-attachment-api.

Prevent non-admin users to update Attachment.Code.AttachmentMimetypeRestrictionClass XObject

Same as for rights, (see org.xwiki.security.authorization.internal.RightsFilterListener). A listener listen for document creation and update, and check whether the user performing the action is allowed to edit XWikiRights XObject (i.e., is an admin).

I propose to do the same for mime type restrictions XObjects.

The same could be done for file size restrictions.

Prevent Attachment.Code.AttachmentMimetypeRestrictionClass value inconsistencies

It could be possible for admins to be less restrictive on a given space than it parent (and it is easy to become Admins of a space without being globally admin).

  • Option 1: no restrictions
  • Option 2: always be more restrictive than the parent space
  • Option 3: always be more restrictive than a given XObject (configurable?)
  • Option 4: always be more restrictive than the xwiki.properties

The same is true for file size restrictions.

Prevent inconsistencies on attachment move

Currently, no check is done on move, which means that you can upload a large file in a space, and move it in a space where it wouldn't be allowed.

Without further controls, the same will be true for mimetype restrictions.

  • Option 1: no restrictions
  • Option 2: add a control to check if the move attachment passes the restriction check on the target space and raise an error if it does not.

Note that option 2 might lead to a situation where an attachment cannot be moved or renamed anymore if the restrictions of its space are made stricter after upload.

 


 

Get Connected