Files
wehub-resource-sync 4cddfcf2f3
Backend Tests / Tests (other) (push) Failing after 1s
Backend Tests / Static Checks (push) Failing after 2s
Backend Tests / Tests (internal) (push) Failing after 2s
Backend Tests / Tests (server) (push) Failing after 1s
Backend Tests / Tests (store) (push) Failing after 1s
Build Canary Image / build-frontend (push) Failing after 1s
Frontend Tests / Lint (push) Failing after 1s
Build Canary Image / build-push (linux/amd64) (push) Has been skipped
Build Canary Image / build-push (linux/arm64) (push) Has been skipped
Build Canary Image / merge (push) Has been skipped
Frontend Tests / Build (push) Failing after 1s
Release Please / release-please (push) Failing after 0s
Proto Linter / Lint Protos (push) Failing after 2s
chore: import upstream snapshot with attribution
2026-07-13 12:02:24 +08:00

602 lines
18 KiB
Go

package fileserver
import (
"bytes"
"context"
"encoding/base64"
"encoding/binary"
"fmt"
"hash/crc32"
"image"
"image/color"
"image/png"
"net/http"
"net/http/httptest"
"strings"
"testing"
"time"
"github.com/labstack/echo/v5"
"github.com/stretchr/testify/require"
"google.golang.org/protobuf/types/known/timestamppb"
"github.com/usememos/memos/internal/markdown"
"github.com/usememos/memos/internal/profile"
"github.com/usememos/memos/internal/testutil"
"github.com/usememos/memos/internal/util"
apiv1 "github.com/usememos/memos/proto/gen/api/v1"
storepb "github.com/usememos/memos/proto/gen/store"
"github.com/usememos/memos/server/auth"
apiv1service "github.com/usememos/memos/server/router/api/v1"
"github.com/usememos/memos/store"
teststore "github.com/usememos/memos/store/test"
)
func TestServeAttachmentFile_ShareTokenAllowsDirectMemoAttachment(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "share-parent-owner",
Role: store.RoleUser,
Email: "share-parent-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
attachment, err := svc.CreateAttachment(creatorCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "memo.txt",
Type: "text/plain",
Content: []byte("memo attachment"),
},
})
require.NoError(t, err)
parentMemo, err := svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "shared parent",
Visibility: apiv1.Visibility_PROTECTED,
Attachments: []*apiv1.Attachment{
{Name: attachment.Name},
},
},
})
require.NoError(t, err)
share, err := svc.CreateMemoShare(creatorCtx, &apiv1.CreateMemoShareRequest{
Parent: parentMemo.Name,
MemoShare: &apiv1.MemoShare{},
})
require.NoError(t, err)
shareToken := share.Name[strings.LastIndex(share.Name, "/")+1:]
e := echo.New()
fs.RegisterRoutes(e)
req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/file/%s/%s?share_token=%s", attachment.Name, attachment.Filename, shareToken), nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
require.Equal(t, "memo attachment", rec.Body.String())
}
func TestServeAttachmentFile_LocalStaticFileSupportsRangeRequests(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "range-owner",
Role: store.RoleUser,
Email: "range-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
attachment, err := svc.CreateAttachment(creatorCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "range.txt",
Type: "text/plain",
Content: []byte("0123456789"),
},
})
require.NoError(t, err)
_, err = svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "range memo",
Visibility: apiv1.Visibility_PUBLIC,
Attachments: []*apiv1.Attachment{
{Name: attachment.Name},
},
},
})
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/file/%s/%s", attachment.Name, attachment.Filename), nil)
req.Header.Set("Range", "bytes=2-5")
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusPartialContent, rec.Code)
require.Equal(t, "2345", rec.Body.String())
require.Equal(t, "bytes 2-5/10", rec.Header().Get("Content-Range"))
}
func TestServeAttachmentFile_ShareTokenRejectsCommentAttachment(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "private-parent-owner",
Role: store.RoleUser,
Email: "private-parent-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
commenter, err := svc.Store.CreateUser(ctx, &store.User{
Username: "share-commenter",
Role: store.RoleUser,
Email: "share-commenter@example.com",
})
require.NoError(t, err)
commenterCtx := context.WithValue(ctx, auth.UserIDContextKey, commenter.ID)
parentMemo, err := svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "shared parent",
Visibility: apiv1.Visibility_PROTECTED,
},
})
require.NoError(t, err)
commentAttachment, err := svc.CreateAttachment(commenterCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "comment.txt",
Type: "text/plain",
Content: []byte("comment attachment"),
},
})
require.NoError(t, err)
_, err = svc.CreateMemoComment(commenterCtx, &apiv1.CreateMemoCommentRequest{
Name: parentMemo.Name,
Comment: &apiv1.Memo{
Content: "comment with attachment",
Visibility: apiv1.Visibility_PROTECTED,
Attachments: []*apiv1.Attachment{
{Name: commentAttachment.Name},
},
},
})
require.NoError(t, err)
share, err := svc.CreateMemoShare(creatorCtx, &apiv1.CreateMemoShareRequest{
Parent: parentMemo.Name,
MemoShare: &apiv1.MemoShare{},
})
require.NoError(t, err)
shareToken := share.Name[strings.LastIndex(share.Name, "/")+1:]
e := echo.New()
fs.RegisterRoutes(e)
req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/file/%s/%s?share_token=%s", commentAttachment.Name, commentAttachment.Filename, shareToken), nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusUnauthorized, rec.Code)
}
func TestServeAttachmentFile_MotionClip(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "motion-owner",
Role: store.RoleUser,
Email: "motion-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
attachment, err := svc.CreateAttachment(creatorCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "motion.jpg",
Type: "image/jpeg",
Content: testutil.BuildMotionPhotoJPEG(),
},
})
require.NoError(t, err)
_, err = svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "motion memo",
Visibility: apiv1.Visibility_PUBLIC,
Attachments: []*apiv1.Attachment{
{Name: attachment.Name},
},
},
})
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/file/%s/%s?motion=true", attachment.Name, attachment.Filename), nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
require.Equal(t, "video/mp4", rec.Header().Get("Content-Type"))
require.Contains(t, rec.Body.String(), "ftyp")
}
func TestServeAttachmentFile_SVGThumbnailServedAsImageWithSecurityHeaders(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "svg-owner",
Role: store.RoleUser,
Email: "svg-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
svgContent := []byte(`<svg xmlns="http://www.w3.org/2000/svg" width="120" height="40"><text x="0" y="20">memos</text></svg>`)
attachment, err := svc.CreateAttachment(creatorCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "preview.svg",
Type: "image/svg+xml",
Content: svgContent,
},
})
require.NoError(t, err)
_, err = svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "svg memo",
Visibility: apiv1.Visibility_PUBLIC,
Attachments: []*apiv1.Attachment{
{Name: attachment.Name},
},
},
})
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/file/%s/%s?thumbnail=true", attachment.Name, attachment.Filename), nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
require.Equal(t, "image/svg+xml", rec.Header().Get("Content-Type"))
require.Empty(t, rec.Header().Get("Content-Disposition"))
require.Equal(t, "nosniff", rec.Header().Get("X-Content-Type-Options"))
require.Equal(t, "default-src 'none'; style-src 'unsafe-inline';", rec.Header().Get("Content-Security-Policy"))
require.Equal(t, svgContent, rec.Body.Bytes())
}
func TestServeAttachmentFile_ThumbnailWithSensitiveMetadataServesOriginal(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "hdr-owner",
Role: store.RoleUser,
Email: "hdr-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
imageContent := testPNGWithChunk(t, "cICP", []byte{9, 16, 9, 1})
attachment, err := svc.CreateAttachment(creatorCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "hdr.png",
Type: "image/png",
Content: imageContent,
},
})
require.NoError(t, err)
_, err = svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "hdr memo",
Visibility: apiv1.Visibility_PUBLIC,
Attachments: []*apiv1.Attachment{
{Name: attachment.Name},
},
},
})
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
req := httptest.NewRequest(http.MethodGet, fmt.Sprintf("/file/%s/%s?thumbnail=true", attachment.Name, attachment.Filename), nil)
rec := httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
require.Equal(t, "image/png", rec.Header().Get("Content-Type"))
require.Equal(t, imageContent, rec.Body.Bytes())
}
func TestHasThumbnailSensitiveMetadata(t *testing.T) {
tests := []struct {
name string
mimeType string
data []byte
want bool
}{
{
name: "jpeg hdr gain map",
mimeType: "image/jpeg",
data: []byte("xmp hdrgm:Version=\"1.0\""),
want: true,
},
{
name: "jpeg icc profile",
mimeType: "image/jpeg",
data: []byte("ICC_PROFILE"),
want: true,
},
{
name: "png cicp chunk",
mimeType: "image/png",
data: []byte("cICP"),
want: true,
},
{
name: "heic",
mimeType: "image/heic",
data: nil,
want: true,
},
{
name: "plain jpeg",
mimeType: "image/jpeg",
data: []byte("plain image data"),
want: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
require.Equal(t, tt.want, hasThumbnailSensitiveMetadata(tt.mimeType, tt.data))
})
}
}
func testPNGWithChunk(t *testing.T, chunkType string, chunkData []byte) []byte {
t.Helper()
img := image.NewRGBA(image.Rect(0, 0, 1, 1))
img.Set(0, 0, color.RGBA{R: 255, A: 255})
var encoded bytes.Buffer
require.NoError(t, png.Encode(&encoded, img))
pngData := encoded.Bytes()
iendIndex := bytes.LastIndex(pngData, []byte("IEND"))
require.GreaterOrEqual(t, iendIndex, 4)
chunkStart := iendIndex - 4
var chunk bytes.Buffer
require.NoError(t, binary.Write(&chunk, binary.BigEndian, uint32(len(chunkData))))
chunk.WriteString(chunkType)
chunk.Write(chunkData)
checksum := crc32.ChecksumIEEE(append([]byte(chunkType), chunkData...))
require.NoError(t, binary.Write(&chunk, binary.BigEndian, checksum))
result := make([]byte, 0, len(pngData)+chunk.Len())
result = append(result, pngData[:chunkStart]...)
result = append(result, chunk.Bytes()...)
result = append(result, pngData[chunkStart:]...)
return result
}
func newShareAttachmentTestServices(ctx context.Context, t *testing.T) (*apiv1service.APIV1Service, *FileServerService, *store.Store, func()) {
t.Helper()
testStore := teststore.NewTestingStore(ctx, t)
testProfile := &profile.Profile{
Demo: true,
Version: "test-1.0.0",
InstanceURL: "http://localhost:8080",
Driver: "sqlite",
DSN: ":memory:",
Data: t.TempDir(),
}
secret := "test-secret"
markdownService := markdown.NewService(markdown.WithTagExtension())
apiService := &apiv1service.APIV1Service{
Secret: secret,
Profile: testProfile,
Store: testStore,
MarkdownService: markdownService,
SSEHub: apiv1service.NewSSEHub(),
}
fileService := NewFileServerService(testProfile, testStore, secret)
return apiService, fileService, testStore, func() {
testStore.Close()
}
}
// makePNGDataURI returns a minimal valid PNG encoded as a data URI, suitable for a
// user avatar.
func makePNGDataURI(t *testing.T) string {
t.Helper()
img := image.NewRGBA(image.Rect(0, 0, 1, 1))
img.Set(0, 0, color.RGBA{R: 1, G: 2, B: 3, A: 255})
var buf bytes.Buffer
require.NoError(t, png.Encode(&buf, img))
return "data:image/png;base64," + base64.StdEncoding.EncodeToString(buf.Bytes())
}
// TestServeAttachmentFile_PrivateInstanceDeniesAnonymous verifies that a public
// memo's attachment is served to anonymous visitors on an open instance but denied
// on a private instance (no InstanceURL configured).
func TestServeAttachmentFile_PrivateInstanceDeniesAnonymous(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
creator, err := svc.Store.CreateUser(ctx, &store.User{
Username: "private-attachment-owner",
Role: store.RoleUser,
Email: "private-attachment-owner@example.com",
})
require.NoError(t, err)
creatorCtx := context.WithValue(ctx, auth.UserIDContextKey, creator.ID)
attachment, err := svc.CreateAttachment(creatorCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "public.txt",
Type: "text/plain",
Content: []byte("public content"),
},
})
require.NoError(t, err)
_, err = svc.CreateMemo(creatorCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "public memo",
Visibility: apiv1.Visibility_PUBLIC,
Attachments: []*apiv1.Attachment{{Name: attachment.Name}},
},
})
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
url := fmt.Sprintf("/file/%s/%s", attachment.Name, attachment.Filename)
anonymousGet := func() int {
rec := httptest.NewRecorder()
e.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, url, nil))
return rec.Code
}
// Open instance: anonymous access to a public memo's attachment is allowed.
fs.Profile.InstanceURL = "http://localhost:8080"
require.Equal(t, http.StatusOK, anonymousGet())
// Private instance: the same anonymous request is denied.
fs.Profile.InstanceURL = ""
require.Equal(t, http.StatusUnauthorized, anonymousGet())
}
// TestServeUserAvatar_PrivateInstanceRequiresAuth verifies that avatars are exposed
// to anonymous visitors on an open instance but require authentication on a private
// instance.
func TestServeUserAvatar_PrivateInstanceRequiresAuth(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
_, err := svc.Store.CreateUser(ctx, &store.User{
Username: "avatar-owner",
Role: store.RoleUser,
Email: "avatar-owner@example.com",
AvatarURL: makePNGDataURI(t),
})
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
anonymousGet := func() int {
rec := httptest.NewRecorder()
e.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, "/file/users/avatar-owner/avatar", nil))
return rec.Code
}
// Open instance: anonymous avatar access is allowed.
fs.Profile.InstanceURL = "http://localhost:8080"
require.Equal(t, http.StatusOK, anonymousGet())
// Private instance: anonymous avatar access is denied.
fs.Profile.InstanceURL = ""
require.Equal(t, http.StatusUnauthorized, anonymousGet())
}
// TestServeAttachmentFile_RefreshCookieAuthenticatesOwner verifies that the file
// server authenticates a request via the refresh-token cookie (the browser <img>
// flow) — the AuthenticateToUser cookie fallback — letting the owner fetch their own
// private memo's attachment without an Authorization header.
func TestServeAttachmentFile_RefreshCookieAuthenticatesOwner(t *testing.T) {
ctx := context.Background()
svc, fs, _, cleanup := newShareAttachmentTestServices(ctx, t)
defer cleanup()
owner, err := svc.Store.CreateUser(ctx, &store.User{
Username: "cookie-owner",
Role: store.RoleUser,
Email: "cookie-owner@example.com",
})
require.NoError(t, err)
ownerCtx := context.WithValue(ctx, auth.UserIDContextKey, owner.ID)
attachment, err := svc.CreateAttachment(ownerCtx, &apiv1.CreateAttachmentRequest{
Attachment: &apiv1.Attachment{
Filename: "secret.txt",
Type: "text/plain",
Content: []byte("secret content"),
},
})
require.NoError(t, err)
_, err = svc.CreateMemo(ownerCtx, &apiv1.CreateMemoRequest{
Memo: &apiv1.Memo{
Content: "private memo",
Visibility: apiv1.Visibility_PRIVATE,
Attachments: []*apiv1.Attachment{{Name: attachment.Name}},
},
})
require.NoError(t, err)
// Mint a valid refresh token for the owner and store its record.
tokenID := util.GenUUID()
require.NoError(t, svc.Store.AddUserRefreshToken(ctx, owner.ID, &storepb.RefreshTokensUserSetting_RefreshToken{
TokenId: tokenID,
ExpiresAt: timestamppb.New(time.Now().Add(auth.RefreshTokenDuration)),
CreatedAt: timestamppb.Now(),
}))
refreshToken, _, err := auth.GenerateRefreshToken(owner.ID, tokenID, []byte(svc.Secret))
require.NoError(t, err)
e := echo.New()
fs.RegisterRoutes(e)
url := fmt.Sprintf("/file/%s/%s", attachment.Name, attachment.Filename)
// Without credentials, the private attachment is denied.
rec := httptest.NewRecorder()
e.ServeHTTP(rec, httptest.NewRequest(http.MethodGet, url, nil))
require.Equal(t, http.StatusUnauthorized, rec.Code)
// With the refresh-token cookie, the owner is authenticated and served.
req := httptest.NewRequest(http.MethodGet, url, nil)
req.AddCookie(&http.Cookie{Name: auth.RefreshTokenCookieName, Value: refreshToken})
rec = httptest.NewRecorder()
e.ServeHTTP(rec, req)
require.Equal(t, http.StatusOK, rec.Code)
require.Equal(t, "secret content", rec.Body.String())
}