fix: prevent file upload with js included

abdul-kaioum · abdul-kaioum · commit ddcfca90db2a · 2025-03-13T16:07:28.000+06:00
diff --git a/backend/app/Http/Controllers/FileManagerController.php b/backend/app/Http/Controllers/FileManagerController.php
@@ -45,7 +45,7 @@ public function getFinderOptions()
         );
 
         $finderOptions->setBind(
-            'get.pre file.pre archive.pre back.pre chmod.pre colwidth.pre copy.pre cut.pre duplicate.pre editor.pre put.pre
+            'get.pre file.pre archive.pre back.pre chmod.pre colwidth.pre copy.pre cut.pre duplicate.pre editor.pre
              extract.pre forward.pre fullscreen.pre getfile.pre help.pre home.pre info.pre mkdir.pre mkfile.pre
              netmount.pre netunmount.pre open.pre opendir.pre paste.pre places.pre quicklook.pre reload.pre
              rename.pre resize.pre restore.pre rm.pre search.pre sort.pre up.pre upload.pre view.pre zipdl.pre
diff --git a/backend/app/Providers/AccessControlProvider.php b/backend/app/Providers/AccessControlProvider.php
@@ -95,12 +95,13 @@ public function checkPermission($command, ...$args)
             $error = '';
         }
 
-        if (!empty($error)) {
-            try {
+        try {
+            if (!empty($error)) {
                 throw new PreCommandException($error);
-            } catch (PreCommandException $th) {
-                return $th->getError();
             }
+            $this->scanFile($command, $args);
+        } catch (PreCommandException $th) {
+            return $th->getError();
         }
     }
 
@@ -158,4 +159,52 @@ private function isFileAllowedToOpen($args)
 
         return false;
     }
+
+    public function scanFile($command, $args)
+    {
+        if (!\in_array($command, ['put', 'upload']) || \in_array('javascript', Plugin::instance()->permissions()->getEnabledFileType())) {
+            return;
+        }
+        $content = '';
+
+        if ($command === 'upload' && isset($args[0]['FILES']['upload']['tmp_name'])) {
+            $filePath       = '';
+            $fileName       = '';
+            $filePath       = $args[0]['FILES']['upload']['tmp_name'][0];
+            $fileName       = $args[0]['FILES']['upload']['name'][0];
+            $fileTypeAndExt = wp_check_filetype_and_ext($filePath, $fileName);
+            if (isset($fileTypeAndExt['ext'], $fileTypeAndExt['type']) && (strpos($fileTypeAndExt['type'], 'text') !== false || strpos($fileTypeAndExt['type'], 'pdf') !== false)) {
+                $content = file_get_contents($filePath);
+            }
+        } elseif (isset($_REQUEST['content'])) {
+            $content = $_REQUEST['content'];
+        }
+
+        if (empty($content)) {
+            return;
+        }
+
+        $containsJs = false;
+
+        $maliciousPatterns = [
+            '/<script.*?>.*?<\/script>/is',
+            '/onload=["\'].*?["\']/is',
+            '/<.*?javascript:.*?>/is',
+            '/<.*?on\w+=[^>]+>/is',
+            '/\/S \/JavaScript \/JS /is',
+        ];
+
+        foreach ($maliciousPatterns as $pattern) {
+            if (preg_match($pattern, $content)) {
+                $containsJs = true;
+
+                break;
+            }
+        }
+
+        if ($containsJs) {
+
+            throw new PreCommandException(__('The file contains JS code. Please remove the code and try again. Or allow js mimetype', 'file-manager'));
+        }
+    }
 }
diff --git a/backend/app/Providers/FileEditValidator.php b/backend/app/Providers/FileEditValidator.php
@@ -13,6 +13,7 @@ public function validate($cmd, &$args, $elfinder, $volume)
     {
         try {
             $this->checkPermission();
+            Plugin::instance()->accessControl()->scanFile($cmd, $args);
         } catch (PreCommandException $th) {
             return $th->getError();
         }
diff --git a/frontend/src/pages/Layout/ui/Navigation/TopNavigation/static/MenuItems.tsx b/frontend/src/pages/Layout/ui/Navigation/TopNavigation/static/MenuItems.tsx
@@ -44,10 +44,10 @@ export const items: Array<ProductDetail> = [
       'Customer Support Button with SMS Call Button, Click to Chat Messenger, Live Chat Support Chat Button'
   },
   {
-    key: 'bit-pi',
+    key: 'bit-flows',
     label: (
-      <a href="https://bitapps.pro" target="_blank" rel="noreferrer">
-        Bit Pi
+      <a href="https://bit-flows.com" target="_blank" rel="noreferrer">
+        Bit Flows
       </a>
     ),
     title: 'An advanced integration plugin for your WordPress website.'
diff --git a/frontend/src/pages/root/Root.tsx b/frontend/src/pages/root/Root.tsx
@@ -70,7 +70,7 @@ export default function Root() {
         setIsOpening(true)
       })
 
-      finder.bind('opendone reload', () => {
+      finder.bind('opendone reload sync', () => {
         setIsOpening(false)
       })
 

Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@ public function validate($cmd, &$args, $elfinder, $volume)`
`13`	`13`	`{`
`14`	`14`	`try {`
`15`	`15`	`$this->checkPermission();`
	`16`	`+ Plugin::instance()->accessControl()->scanFile($cmd, $args);`
`16`	`17`	`} catch (PreCommandException $th) {`
`17`	`18`	`return $th->getError();`
`18`	`19`	`}`