Fix Niels Guest Get File

[nielsdrost7]

Fix Niels Guest Get File

Summary by CodeRabbit

• Bug Fixes

  • Improved reliability of file downloads with more accurate content type and size detection.
  • Sanitized filenames in download prompts to avoid unexpected characters.
  • Clearer 404 responses that include concise reference details when available.

• Refactor

  • Strengthened path validation to ensure files are served only from allowed locations.
  • Consistent use of validated paths throughout the file-serving flow for added safety.

[Copilot]

Pull Request Overview

This PR fixes a critical security vulnerability in the guest file download functionality by implementing proper path traversal protection and file validation.

Key changes:

• Added path traversal protection using basename() and realpath() validation
• Implemented proper directory boundary checks to prevent accessing files outside the target directory
• Enhanced file existence and safety validation before serving files

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Refactors guest file-serving to sanitize filenames, validate base and target paths with realpath, enforce that target resides under the base directory, compute MIME/size from the validated path, use the sanitized name in Content-Disposition, and return 404 for invalid paths.

Changes

Cohort / File(s)	Summary
Secure file-serving validation application/modules/guest/controllers/Get.php	Replace direct file_exists checks with basename sanitization and realpath validation of base and target paths; ensure target is contained within base; derive extension, MIME type, and size from validated real file path; use sanitized filename in Content-Disposition; read from validated path; update 404 responses and early-return flow.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant C as Client
  participant Ctr as Guest.Get Controller
  participant FS as Filesystem

  C->>Ctr: GET /guest/get?ref=...&file=...
  Ctr->>FS: realpath(baseDir)
  alt baseDir invalid
    Ctr-->>C: 404 Not Found (base invalid)
  else baseDir ok
    Ctr->>Ctr: sanitize filename (basename)
    Ctr->>FS: realpath(fullPath of sanitized name)
    alt target invalid or not under base
      Ctr-->>C: 404 Not Found (target invalid/outside base)
    else target valid
      Ctr->>FS: stat(realFile) -> size, ext
      Ctr-->>C: 200 OK
      Note right of Ctr: Headers set using sanitized name and realFile metadata
      Ctr->>C: file bytes (readfile(realFile))
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I hop along the secure path bright,
Basenames trimmed and realpaths tight,
No hidden tunnels, no sly surprise,
Files served true beneath safe skies. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The title “Fix Niels Guest Get File” is vague and includes the author’s name rather than clearly summarizing the primary change, which is replacing a direct file check with a secure file‐serving flow that sanitizes input and validates paths via realpath. It does not convey the adoption of basename sanitization, real directory validation, or updated 404 handling that are central to this PR.	Please rename the pull request to clearly reflect the main changes, for example “Implement secure file serving in guest Get controller with basename sanitization and realpath validation.”
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/niels-3-guest-get-file

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9dff57e and 921225a.

📒 Files selected for processing (1)

• application/modules/guest/controllers/Get.php (1 hunks)

🔇 Additional comments (3)

application/modules/guest/controllers/Get.php (3)

48-57: Excellent security improvements implemented.

The implementation now properly addresses the past review feedback:

• basename() sanitization prevents directory traversal in the filename
• realpath() validation on the base directory ensures it exists before proceeding
• Early return statement prevents execution after error response

The security foundation is solid.

---

59-70: Path traversal protection correctly implemented.

The security check properly validates that the resolved file path resides within the base directory. The implementation addresses previous feedback:

• Uses str_starts_with() with DIRECTORY_SEPARATOR to prevent prefix-only matches
• Removed redundant file_exists() check since realpath() returns false for non-existent files
• Added early return statement after error response

Note: While mb_rtrim() on line 59 is unnecessary for single-byte DIRECTORY_SEPARATOR, the developer indicated this is intentional (auto-formatted by IDE).

---

82-82: Correct use of validated file path.

Using $realFile for readfile() ensures the actual file being served matches the path that passed all security validations.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull Request Overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The filename in the Content-Disposition header should be properly escaped to prevent header injection attacks. Consider using addcslashes($safeFilename, '"\\') or a similar escaping method to handle filenames containing quotes or backslashes.

Suggested change

	header('Content-Disposition: attachment; filename="' . $safeFilename . '"');
	header('Content-Disposition: attachment; filename="' . addcslashes($safeFilename, '"\\') . '"');

[Copilot]

The filesize() function can return false on failure, but this value is used directly in the Content-Length header without validation. This could result in an incorrect Content-Length header being set.

Suggested change

	$file_size = filesize($realFile);
	$file_size = filesize($realFile);
	if ($file_size === false) {
	$this->respond_message(404, 'upload_error_file_not_found', $realFile);
	return;
	}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

application/modules/guest/controllers/Get.php (1)

59-70: Path traversal protection correctly implemented.

The code properly prevents directory traversal attacks by:

1. Normalizing the base path with a trailing separator (line 59)
2. Resolving the real path of the target file (line 60)
3. Verifying the file exists and resides within the allowed directory (lines 62-65)

This addresses the past review comments about using DIRECTORY_SEPARATOR in the check and removing the redundant file_exists() condition.

Consider adding an explicit is_file() check to prevent serving directories:

 if (
     $realFile === false ||
+    ! is_file($realFile) ||
     ( ! str_starts_with($realFile, $realBaseWithSep))
 ) {

While readfile() on a directory won't cause security issues (it fails safely), an explicit check improves clarity and prevents unnecessary processing.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9dff57e and 921225a.

📒 Files selected for processing (1)

• application/modules/guest/controllers/Get.php (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

application/modules/guest/controllers/Get.php (1)

application/modules/upload/controllers/Upload.php (1)

• respond_message (163-173)

🔇 Additional comments (2)

application/modules/guest/controllers/Get.php (2)

49-57: LGTM! Path sanitization and base validation implemented correctly.

The use of basename() prevents directory traversal, and the realpath() validation ensures the base directory exists before proceeding. The early return statement at line 56 addresses the past review comment about missing return after error response.

---

72-82: LGTM! Validated paths and sanitized filenames used throughout.

The code correctly uses:

• $realFile for extracting metadata (lines 72-75) and reading the file (line 82)
• $safeFilename in the Content-Disposition header (line 79)

This ensures all file operations and headers use validated, sanitized data rather than raw user input, preventing potential injection or information disclosure issues.

[nielsdrost7]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[nielsdrost7]

closing this one, this one is merged when i merged #1354