{"version":3,"file":"file.mjs","sources":["../../../server/src/services/file.ts"],"sourcesContent":["import path from 'path';\nimport dns from 'dns/promises';\nimport net from 'net';\nimport fse from 'fs-extra';\nimport { cloneDeep } from 'lodash/fp';\nimport { async, errors } from '@strapi/utils';\n\nimport { FOLDER_MODEL_UID, FILE_MODEL_UID } from '../constants';\nimport { getService } from '../utils';\n\nimport { Config, type File } from '../types';\n\nconst { ApplicationError } = errors;\n\nconst FETCH_TIMEOUT_MS = 60_000; // 60 seconds\n\n// Blocks loopback, link-local (cloud metadata), and RFC-1918 private ranges to prevent SSRF\nconst SSRF_BLOCK_LIST = new net.BlockList();\nSSRF_BLOCK_LIST.addSubnet('127.0.0.0', 8); // loopback\nSSRF_BLOCK_LIST.addSubnet('10.0.0.0', 8); // RFC-1918\nSSRF_BLOCK_LIST.addSubnet('172.16.0.0', 12); // RFC-1918\nSSRF_BLOCK_LIST.addSubnet('192.168.0.0', 16); // RFC-1918\nSSRF_BLOCK_LIST.addSubnet('169.254.0.0', 16); // link-local / cloud metadata (AWS, GCP, Azure)\nSSRF_BLOCK_LIST.addSubnet('::1', 128, 'ipv6'); // IPv6 loopback\nSSRF_BLOCK_LIST.addSubnet('fc00::', 7, 'ipv6'); // IPv6 unique local\nSSRF_BLOCK_LIST.addSubnet('fe80::', 10, 'ipv6'); // IPv6 link-local\n\n/**\n * Represents a file fetched from a URL, compatible with the upload pipeline\n */\ninterface UrlFetchedFile {\n  filepath: string;\n  originalFilename: string;\n  mimetype: string;\n  size: number;\n  tmpWorkingDirectory?: string;\n}\n\ninterface FetchUrlResult {\n  file: UrlFetchedFile;\n}\n\n/**\n * Extracts filename from a URL path or Content-Disposition header\n */\nconst getFilenameFromUrl = (url: string, contentDisposition?: string | null): string => {\n  // Try Content-Disposition header first\n  if (contentDisposition) {\n    // Extracts filename from Content-Disposition header (e.g. filename=\"photo.jpg\" or filename*=UTF-8''photo.jpg)\n    const filenameMatch = contentDisposition.match(\n      /filename\\*?=['\"]?(?:UTF-\\d['\"]*)?([^;\\r\\n\"']*)['\"]?/i\n    );\n    if (filenameMatch?.[1]) {\n      // Use path.basename to prevent path traversal attacks\n      return path.basename(decodeURIComponent(filenameMatch[1]));\n    }\n  }\n\n  // Fall back to URL path\n  try {\n    const urlObj = new URL(url);\n    const pathname = urlObj.pathname;\n    const filename = pathname.split('/').pop();\n    if (filename && filename.length > 0) {\n      // Use path.basename to prevent path traversal attacks (e.g., URL-encoded separators)\n      return path.basename(decodeURIComponent(filename));\n    }\n  } catch {\n    // Invalid URL, use default\n  }\n\n  // Generate a timestamp-based default filename\n  const now = new Date();\n  const date = now.toISOString().split('T')[0]; // 2024-02-23\n  const time = now.toTimeString().split(' ')[0].replace(/:/g, ''); // 143052\n  return `untitled_${date}_${time}`;\n};\n\n/**\n * Fetches a URL and saves it as a temporary file\n * Returns an InputFile-compatible object for use with the upload pipeline\n */\nconst fetchUrlToInputFile = async (\n  url: string,\n  tmpWorkingDirectory: string,\n  sizeLimit?: number\n): Promise<FetchUrlResult> => {\n  // Validate URL protocol\n  let parsedUrl: URL;\n  try {\n    parsedUrl = new URL(url);\n  } catch {\n    throw new ApplicationError(`Invalid URL: ${url}`);\n  }\n\n  if (!['http:', 'https:'].includes(parsedUrl.protocol)) {\n    throw new ApplicationError(`Invalid URL protocol. Only http and https are allowed: ${url}`);\n  }\n\n  // Resolve hostname and block private/internal IP ranges to prevent SSRF\n  try {\n    const { address, family } = await dns.lookup(parsedUrl.hostname);\n    const type = family === 6 ? 'ipv6' : 'ipv4';\n    if (SSRF_BLOCK_LIST.check(address, type)) {\n      throw new ApplicationError(`URL resolves to a blocked address: ${url}`);\n    }\n  } catch (error) {\n    if (error instanceof ApplicationError) throw error;\n    throw new ApplicationError(`Could not resolve hostname: ${parsedUrl.hostname}`);\n  }\n\n  // use strapi.fetch so we can intercept requests and support proxy settings\n  const doFetch = typeof strapi?.fetch === 'function' ? strapi.fetch : fetch;\n  let response: Response;\n  try {\n    response = await doFetch(url, { signal: AbortSignal.timeout(FETCH_TIMEOUT_MS) });\n  } catch (error) {\n    if (error instanceof Error && error.name === 'TimeoutError') {\n      throw new ApplicationError(`Request timed out while fetching URL: ${url}`);\n    }\n    throw error;\n  }\n\n  if (!response.ok) {\n    throw new ApplicationError(\n      `Failed to fetch URL: ${url} (${response.status} ${response.statusText})`\n    );\n  }\n\n  // Check Content-Length header for early rejection of large files\n  if (sizeLimit) {\n    const contentLength = response.headers.get('content-length');\n    if (contentLength && parseInt(contentLength, 10) > sizeLimit) {\n      throw new ApplicationError(\n        `File too large: maximum allowed size is ${Math.round(sizeLimit / (1024 * 1024))}MB`\n      );\n    }\n  }\n\n  // Get content type and filename\n  const contentType =\n    response.headers.get('content-type')?.split(';')[0] || 'application/octet-stream';\n  const contentDisposition = response.headers.get('content-disposition');\n  const filename = getFilenameFromUrl(response.url, contentDisposition);\n\n  // Read response body\n  const arrayBuffer = await response.arrayBuffer();\n  const buffer = Buffer.from(arrayBuffer);\n\n  // Write to temp file\n  const tmpFilePath = path.join(tmpWorkingDirectory, filename);\n  await fse.writeFile(tmpFilePath, buffer);\n\n  // Create file object compatible with upload pipeline\n  const fetchedFile: UrlFetchedFile = {\n    filepath: tmpFilePath,\n    originalFilename: filename,\n    mimetype: contentType,\n    size: buffer.length,\n    tmpWorkingDirectory,\n  };\n\n  return { file: fetchedFile };\n};\n\nconst getFolderPath = async (folderId?: number | null) => {\n  if (!folderId) return '/';\n\n  const parentFolder = await strapi.db.query(FOLDER_MODEL_UID).findOne({ where: { id: folderId } });\n\n  return parentFolder.path;\n};\n\nconst deleteByIds = async (ids: number[] = []) => {\n  const filesToDelete = await strapi.db\n    .query(FILE_MODEL_UID)\n    .findMany({ where: { id: { $in: ids } } });\n\n  await Promise.all(filesToDelete.map((file: File) => getService('upload').remove(file)));\n\n  return filesToDelete;\n};\n\nconst signFileUrls = async (file: File) => {\n  const { provider } = strapi.plugins.upload;\n  const { provider: providerConfig } = strapi.config.get<Config>('plugin::upload');\n  const isPrivate = await provider.isPrivate();\n  file.isUrlSigned = false;\n\n  // Check file provider and if provider is private\n  if (file.provider !== providerConfig || !isPrivate) {\n    return file;\n  }\n\n  const signUrl = async (file: File) => {\n    const signedUrl = await provider.getSignedUrl(file);\n    file.url = signedUrl.url;\n    file.isUrlSigned = true;\n  };\n\n  const signedFile = cloneDeep(file);\n\n  // Sign each file format\n  await signUrl(signedFile);\n  if (file.formats) {\n    await async.map(Object.values(signedFile.formats ?? {}), signUrl);\n  }\n\n  return signedFile;\n};\n\nexport type { UrlFetchedFile, FetchUrlResult };\nexport default { getFolderPath, deleteByIds, signFileUrls, fetchUrlToInputFile };\n"],"names":["ApplicationError","errors","FETCH_TIMEOUT_MS","SSRF_BLOCK_LIST","net","BlockList","addSubnet","getFilenameFromUrl","url","contentDisposition","filenameMatch","match","path","basename","decodeURIComponent","urlObj","URL","pathname","filename","split","pop","length","now","Date","date","toISOString","time","toTimeString","replace","fetchUrlToInputFile","tmpWorkingDirectory","sizeLimit","parsedUrl","includes","protocol","address","family","dns","lookup","hostname","type","check","error","doFetch","strapi","fetch","response","signal","AbortSignal","timeout","Error","name","ok","status","statusText","contentLength","headers","get","parseInt","Math","round","contentType","arrayBuffer","buffer","Buffer","from","tmpFilePath","join","fse","writeFile","fetchedFile","filepath","originalFilename","mimetype","size","file","getFolderPath","folderId","parentFolder","db","query","FOLDER_MODEL_UID","findOne","where","id","deleteByIds","ids","filesToDelete","FILE_MODEL_UID","findMany","$in","Promise","all","map","getService","remove","signFileUrls","provider","plugins","upload","providerConfig","config","isPrivate","isUrlSigned","signUrl","signedUrl","getSignedUrl","signedFile","cloneDeep","formats","async","Object","values"],"mappings":";;;;;;;;;AAYA,MAAM,EAAEA,gBAAgB,EAAE,GAAGC,MAAAA;AAE7B,MAAMC,gBAAAA,GAAmB;AAEzB;AACA,MAAMC,eAAAA,GAAkB,IAAIC,GAAAA,CAAIC,SAAS,EAAA;AACzCF,eAAAA,CAAgBG,SAAS,CAAC,WAAA,EAAa,CAAA,CAAA,CAAA;AACvCH,eAAAA,CAAgBG,SAAS,CAAC,UAAA,EAAY,CAAA,CAAA,CAAA;AACtCH,eAAAA,CAAgBG,SAAS,CAAC,YAAA,EAAc,EAAA,CAAA,CAAA;AACxCH,eAAAA,CAAgBG,SAAS,CAAC,aAAA,EAAe,EAAA,CAAA,CAAA;AACzCH,eAAAA,CAAgBG,SAAS,CAAC,aAAA,EAAe,EAAA,CAAA,CAAA;AACzCH,eAAAA,CAAgBG,SAAS,CAAC,KAAA,EAAO,GAAA,EAAK;AACtCH,eAAAA,CAAgBG,SAAS,CAAC,QAAA,EAAU,CAAA,EAAG;AACvCH,eAAAA,CAAgBG,SAAS,CAAC,QAAA,EAAU,EAAA,EAAI;AAiBxC;;IAGA,MAAMC,kBAAAA,GAAqB,CAACC,GAAAA,EAAaC,kBAAAA,GAAAA;;AAEvC,IAAA,IAAIA,kBAAAA,EAAoB;;QAEtB,MAAMC,aAAAA,GAAgBD,kBAAAA,CAAmBE,KAAK,CAC5C,sDAAA,CAAA;QAEF,IAAID,aAAAA,GAAgB,CAAA,CAAE,EAAE;;AAEtB,YAAA,OAAOE,KAAKC,QAAQ,CAACC,kBAAAA,CAAmBJ,aAAa,CAAC,CAAA,CAAE,CAAA,CAAA;AAC1D,QAAA;AACF,IAAA;;IAGA,IAAI;QACF,MAAMK,MAAAA,GAAS,IAAIC,GAAAA,CAAIR,GAAAA,CAAAA;QACvB,MAAMS,QAAAA,GAAWF,OAAOE,QAAQ;AAChC,QAAA,MAAMC,QAAAA,GAAWD,QAAAA,CAASE,KAAK,CAAC,KAAKC,GAAG,EAAA;AACxC,QAAA,IAAIF,QAAAA,IAAYA,QAAAA,CAASG,MAAM,GAAG,CAAA,EAAG;;YAEnC,OAAOT,IAAAA,CAAKC,QAAQ,CAACC,kBAAAA,CAAmBI,QAAAA,CAAAA,CAAAA;AAC1C,QAAA;AACF,IAAA,CAAA,CAAE,OAAM;;AAER,IAAA;;AAGA,IAAA,MAAMI,MAAM,IAAIC,IAAAA,EAAAA;IAChB,MAAMC,IAAAA,GAAOF,GAAAA,CAAIG,WAAW,EAAA,CAAGN,KAAK,CAAC,GAAA,CAAI,CAAC,CAAA,CAAE,CAAA;AAC5C,IAAA,MAAMO,IAAAA,GAAOJ,GAAAA,CAAIK,YAAY,EAAA,CAAGR,KAAK,CAAC,GAAA,CAAI,CAAC,CAAA,CAAE,CAACS,OAAO,CAAC,IAAA,EAAM;AAC5D,IAAA,OAAO,CAAC,SAAS,EAAEJ,IAAAA,CAAK,CAAC,EAAEE,IAAAA,CAAAA,CAAM;AACnC,CAAA;AAEA;;;AAGC,IACD,MAAMG,mBAAAA,GAAsB,OAC1BrB,GAAAA,EACAsB,mBAAAA,EACAC,SAAAA,GAAAA;;IAGA,IAAIC,SAAAA;IACJ,IAAI;AACFA,QAAAA,SAAAA,GAAY,IAAIhB,GAAAA,CAAIR,GAAAA,CAAAA;AACtB,IAAA,CAAA,CAAE,OAAM;AACN,QAAA,MAAM,IAAIR,gBAAAA,CAAiB,CAAC,aAAa,EAAEQ,GAAAA,CAAAA,CAAK,CAAA;AAClD,IAAA;AAEA,IAAA,IAAI,CAAC;AAAC,QAAA,OAAA;AAAS,QAAA;AAAS,KAAA,CAACyB,QAAQ,CAACD,SAAAA,CAAUE,QAAQ,CAAA,EAAG;AACrD,QAAA,MAAM,IAAIlC,gBAAAA,CAAiB,CAAC,uDAAuD,EAAEQ,GAAAA,CAAAA,CAAK,CAAA;AAC5F,IAAA;;IAGA,IAAI;QACF,MAAM,EAAE2B,OAAO,EAAEC,MAAM,EAAE,GAAG,MAAMC,GAAAA,CAAIC,MAAM,CAACN,SAAAA,CAAUO,QAAQ,CAAA;QAC/D,MAAMC,IAAAA,GAAOJ,MAAAA,KAAW,CAAA,GAAI,MAAA,GAAS,MAAA;AACrC,QAAA,IAAIjC,eAAAA,CAAgBsC,KAAK,CAACN,OAAAA,EAASK,IAAAA,CAAAA,EAAO;AACxC,YAAA,MAAM,IAAIxC,gBAAAA,CAAiB,CAAC,mCAAmC,EAAEQ,GAAAA,CAAAA,CAAK,CAAA;AACxE,QAAA;AACF,IAAA,CAAA,CAAE,OAAOkC,KAAAA,EAAO;QACd,IAAIA,KAAAA,YAAiB1C,kBAAkB,MAAM0C,KAAAA;AAC7C,QAAA,MAAM,IAAI1C,gBAAAA,CAAiB,CAAC,4BAA4B,EAAEgC,SAAAA,CAAUO,QAAQ,CAAA,CAAE,CAAA;AAChF,IAAA;;AAGA,IAAA,MAAMI,UAAU,OAAOC,MAAAA,EAAQC,UAAU,UAAA,GAAaD,MAAAA,CAAOC,KAAK,GAAGA,KAAAA;IACrE,IAAIC,QAAAA;IACJ,IAAI;QACFA,QAAAA,GAAW,MAAMH,QAAQnC,GAAAA,EAAK;YAAEuC,MAAAA,EAAQC,WAAAA,CAAYC,OAAO,CAAC/C,gBAAAA;AAAkB,SAAA,CAAA;AAChF,IAAA,CAAA,CAAE,OAAOwC,KAAAA,EAAO;AACd,QAAA,IAAIA,KAAAA,YAAiBQ,KAAAA,IAASR,KAAAA,CAAMS,IAAI,KAAK,cAAA,EAAgB;AAC3D,YAAA,MAAM,IAAInD,gBAAAA,CAAiB,CAAC,sCAAsC,EAAEQ,GAAAA,CAAAA,CAAK,CAAA;AAC3E,QAAA;QACA,MAAMkC,KAAAA;AACR,IAAA;IAEA,IAAI,CAACI,QAAAA,CAASM,EAAE,EAAE;AAChB,QAAA,MAAM,IAAIpD,gBAAAA,CACR,CAAC,qBAAqB,EAAEQ,IAAI,EAAE,EAAEsC,QAAAA,CAASO,MAAM,CAAC,CAAC,EAAEP,SAASQ,UAAU,CAAC,CAAC,CAAC,CAAA;AAE7E,IAAA;;AAGA,IAAA,IAAIvB,SAAAA,EAAW;AACb,QAAA,MAAMwB,aAAAA,GAAgBT,QAAAA,CAASU,OAAO,CAACC,GAAG,CAAC,gBAAA,CAAA;AAC3C,QAAA,IAAIF,aAAAA,IAAiBG,QAAAA,CAASH,aAAAA,EAAe,EAAA,CAAA,GAAMxB,SAAAA,EAAW;AAC5D,YAAA,MAAM,IAAI/B,gBAAAA,CACR,CAAC,wCAAwC,EAAE2D,IAAAA,CAAKC,KAAK,CAAC7B,SAAAA,IAAa,IAAA,GAAO,IAAG,CAAA,CAAA,CAAI,EAAE,CAAC,CAAA;AAExF,QAAA;AACF,IAAA;;IAGA,MAAM8B,WAAAA,GACJf,QAAAA,CAASU,OAAO,CAACC,GAAG,CAAC,cAAA,CAAA,EAAiBtC,KAAAA,CAAM,GAAA,CAAI,CAAC,CAAA,CAAE,IAAI,0BAAA;AACzD,IAAA,MAAMV,kBAAAA,GAAqBqC,QAAAA,CAASU,OAAO,CAACC,GAAG,CAAC,qBAAA,CAAA;AAChD,IAAA,MAAMvC,QAAAA,GAAWX,kBAAAA,CAAmBuC,QAAAA,CAAStC,GAAG,EAAEC,kBAAAA,CAAAA;;IAGlD,MAAMqD,WAAAA,GAAc,MAAMhB,QAAAA,CAASgB,WAAW,EAAA;IAC9C,MAAMC,MAAAA,GAASC,MAAAA,CAAOC,IAAI,CAACH,WAAAA,CAAAA;;AAG3B,IAAA,MAAMI,WAAAA,GAActD,IAAAA,CAAKuD,IAAI,CAACrC,mBAAAA,EAAqBZ,QAAAA,CAAAA;IACnD,MAAMkD,GAAAA,CAAIC,SAAS,CAACH,WAAAA,EAAaH,MAAAA,CAAAA;;AAGjC,IAAA,MAAMO,WAAAA,GAA8B;QAClCC,QAAAA,EAAUL,WAAAA;QACVM,gBAAAA,EAAkBtD,QAAAA;QAClBuD,QAAAA,EAAUZ,WAAAA;AACVa,QAAAA,IAAAA,EAAMX,OAAO1C,MAAM;AACnBS,QAAAA;AACF,KAAA;IAEA,OAAO;QAAE6C,IAAAA,EAAML;AAAY,KAAA;AAC7B,CAAA;AAEA,MAAMM,gBAAgB,OAAOC,QAAAA,GAAAA;IAC3B,IAAI,CAACA,UAAU,OAAO,GAAA;IAEtB,MAAMC,YAAAA,GAAe,MAAMlC,MAAAA,CAAOmC,EAAE,CAACC,KAAK,CAACC,gBAAAA,CAAAA,CAAkBC,OAAO,CAAC;QAAEC,KAAAA,EAAO;YAAEC,EAAAA,EAAIP;AAAS;AAAE,KAAA,CAAA;AAE/F,IAAA,OAAOC,aAAalE,IAAI;AAC1B,CAAA;AAEA,MAAMyE,WAAAA,GAAc,OAAOC,GAAAA,GAAgB,EAAE,GAAA;IAC3C,MAAMC,aAAAA,GAAgB,MAAM3C,MAAAA,CAAOmC,EAAE,CAClCC,KAAK,CAACQ,cAAAA,CAAAA,CACNC,QAAQ,CAAC;QAAEN,KAAAA,EAAO;YAAEC,EAAAA,EAAI;gBAAEM,GAAAA,EAAKJ;AAAI;AAAE;AAAE,KAAA,CAAA;IAE1C,MAAMK,OAAAA,CAAQC,GAAG,CAACL,aAAAA,CAAcM,GAAG,CAAC,CAAClB,IAAAA,GAAemB,UAAAA,CAAW,QAAA,CAAA,CAAUC,MAAM,CAACpB,IAAAA,CAAAA,CAAAA,CAAAA;IAEhF,OAAOY,aAAAA;AACT,CAAA;AAEA,MAAMS,eAAe,OAAOrB,IAAAA,GAAAA;AAC1B,IAAA,MAAM,EAAEsB,QAAQ,EAAE,GAAGrD,MAAAA,CAAOsD,OAAO,CAACC,MAAM;IAC1C,MAAM,EAAEF,UAAUG,cAAc,EAAE,GAAGxD,MAAAA,CAAOyD,MAAM,CAAC5C,GAAG,CAAS,gBAAA,CAAA;IAC/D,MAAM6C,SAAAA,GAAY,MAAML,QAAAA,CAASK,SAAS,EAAA;AAC1C3B,IAAAA,IAAAA,CAAK4B,WAAW,GAAG,KAAA;;AAGnB,IAAA,IAAI5B,IAAAA,CAAKsB,QAAQ,KAAKG,cAAAA,IAAkB,CAACE,SAAAA,EAAW;QAClD,OAAO3B,IAAAA;AACT,IAAA;AAEA,IAAA,MAAM6B,UAAU,OAAO7B,IAAAA,GAAAA;AACrB,QAAA,MAAM8B,SAAAA,GAAY,MAAMR,QAAAA,CAASS,YAAY,CAAC/B,IAAAA,CAAAA;QAC9CA,IAAAA,CAAKnE,GAAG,GAAGiG,SAAAA,CAAUjG,GAAG;AACxBmE,QAAAA,IAAAA,CAAK4B,WAAW,GAAG,IAAA;AACrB,IAAA,CAAA;AAEA,IAAA,MAAMI,aAAaC,SAAAA,CAAUjC,IAAAA,CAAAA;;AAG7B,IAAA,MAAM6B,OAAAA,CAAQG,UAAAA,CAAAA;IACd,IAAIhC,IAAAA,CAAKkC,OAAO,EAAE;QAChB,MAAMC,KAAAA,CAAMjB,GAAG,CAACkB,MAAAA,CAAOC,MAAM,CAACL,UAAAA,CAAWE,OAAO,IAAI,EAAC,CAAA,EAAIL,OAAAA,CAAAA;AAC3D,IAAA;IAEA,OAAOG,UAAAA;AACT,CAAA;AAGA,WAAe;AAAE/B,IAAAA,aAAAA;AAAeS,IAAAA,WAAAA;AAAaW,IAAAA,YAAAA;AAAcnE,IAAAA;AAAoB,CAAA;;;;"}