fix: add prevent direct access to files (logs, csv export, etc...)

tainacan · Feb 26, 2024 · 9c039f5 · 9c039f5
1 parent 76770ef
commit 9c039f5
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 13 deletions.
diff --git a/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php b/src/classes/api/endpoints/class-tainacan-rest-background-processes-controller.php
@@ -11,8 +11,7 @@
  *
  * */
 class REST_Background_Processes_Controller extends REST_Controller {
-    private $collections_repository;
-    private $collection;
+    private $table = '';
 
     protected function get_schema() {
         return "TODO:get_schema";
@@ -78,7 +77,6 @@ public function register_routes(){
 	        ),
         ));
         register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
-
             array(
                 'methods'             => \WP_REST_Server::READABLE,
                 'callback'            => array($this, 'get_item'),
@@ -87,7 +85,6 @@ public function register_routes(){
 
         ));
         register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
-
             array(
                 'methods'             => \WP_REST_Server::EDITABLE,
                 'callback'            => array($this, 'update_item'),
@@ -106,7 +103,6 @@ public function register_routes(){
 
         ));
         register_rest_route($this->namespace, '/' . $this->rest_base . '/(?P<id>[0-9]+)', array(
-
             array(
                 'methods'             => \WP_REST_Server::DELETABLE,
                 'callback'            => array($this, 'delete_item'),
@@ -115,6 +111,14 @@ public function register_routes(){
             ),
 
         ));
+        register_rest_route($this->namespace, '/' . $this->rest_base . '/file', array(
+            array(
+                'methods'             => \WP_REST_Server::READABLE,
+                'callback'            => array($this, 'get_file'),
+                'permission_callback' => array($this, 'bg_processes_permissions_check'),
+            ),
+
+        ));
     }
 
 
@@ -125,7 +129,7 @@ public function register_routes(){
 	 * @return bool|\WP_Error
 	 * @throws \Exception
 	 */
-	public function  bg_processes_permissions_check($request){
+	public function  bg_processes_permissions_check($request) { 
         // TODO
         return current_user_can('read');
 	}
@@ -347,11 +351,32 @@ public function get_log_url($id, $action, $type = '') {
         if (!file_exists( $upload_url['basedir'] . '/tainacan/' . $filename )) {
             return null;
         }
-
-		$upload_url = trailingslashit( $upload_url['baseurl'] );
-        $logs_url = $upload_url . 'tainacan/' . $filename;
-
+        $logs_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$filename";
         return $logs_url;
     }
 
+    public function get_file( $request ) {
+        if( !isset($request['guid']) )  {
+            return new \WP_REST_Response([
+                'error_message' => __('guid must be specified', 'tainacan' )
+            ], 400);
+        }
+        $guid = $request['guid'];
+        $upload_url = wp_upload_dir();
+        $path = $upload_url['basedir'] . '/tainacan/' . $guid;
+        if ( file_exists( $path ) ) {
+            $finfo = finfo_open(FILEINFO_MIME_TYPE);
+            $mime_type = finfo_file($finfo, $path);
+            $file_name = basename($path);
+            http_response_code(200);
+            header('Content-Description: File Transfer');
+            header("Content-Disposition: attachment; filename=$file_name"); 
+            header("Content-Type: $mime_type");
+            header("Content-Length: " . filesize( $path ));
+            \readfile($path);
+        } else {
+            return new \WP_REST_Response("file not found", 404, array('content-type' => 'text/html; charset=utf-8'));
+        }
+    }
+
 }
diff --git a/src/classes/exporter/class-tainacan-exporter.php b/src/classes/exporter/class-tainacan-exporter.php
@@ -689,7 +689,7 @@ public function add_new_file($key) {
 		$upload_dir_info = wp_upload_dir();
 		$prefix = $this->get_id();
 		$upload_dir = trailingslashit( $upload_dir_info['basedir'] );
-		$upload_url = trailingslashit( $upload_dir_info['baseurl'] );
+		// $upload_url = trailingslashit( $upload_dir_info['baseurl'] );
 		$exporter_folder = 'tainacan/exporter';
 		$file_suffix = "{$exporter_folder}/{$prefix}_{$key}";
 
@@ -699,7 +699,8 @@ public function add_new_file($key) {
 			}
 		}
 		$file_name = "{$upload_dir}{$file_suffix}";
-		$file_url  = "{$upload_url}{$file_suffix}";
+		$guid = "exporter/{$prefix}_{$key}";
+		$file_url = esc_url_raw( rest_url() ) . "tainacan/v2/bg-processes/file?guid=$guid";
 		$this->output_files[$key] = [
 			'filename' => $file_name,
 			'url' => $file_url

diff --git a/src/tainacan.php b/src/tainacan.php
@@ -159,4 +159,30 @@ function wp_kses_tainacan($content, $context='tainacan_content') {
 		default:
 			return $allowedposttags;
 	}
-}, 10, 2);
+}, 10, 2);
+
+
+// Function to add rules to [upload_dir]/tainacan/.htaccess
+function tainacan_add_htaccess_rules() {
+    $uploads_dir = wp_upload_dir(); // Uploads directory
+    $htaccess_dir = trailingslashit($uploads_dir['basedir']) . 'tainacan'; // Path to the tainacan folder
+    $htaccess_file = trailingslashit($htaccess_dir) . '.htaccess'; // Path to the .htaccess file
+
+    // If the folder doesn't exist, create it
+    if (!file_exists($htaccess_dir)) {
+        wp_mkdir_p($htaccess_dir);
+    }
+
+    $marker = 'Tainacan [<wp_upload_dir()>/tainacan] rules'; // Marker name for identification
+    $rules = array(
+        '# Prevent direct access to files',
+        'Order deny,allow',
+        'Deny from all'
+    ); // Rules to be added
+
+    // Add rules to the .htaccess file
+    insert_with_markers($htaccess_file, $marker, $rules);
+}
+
+// Hook to execute the function when the plugin is activated
+register_activation_hook(__FILE__, 'tainacan_add_htaccess_rules');