mirror of
https://github.com/MindWorkAI/AI-Studio.git
synced 2026-02-12 15:21:37 +00:00
81 lines
3.1 KiB
C#
81 lines
3.1 KiB
C#
|
using Microsoft.AspNetCore.StaticFiles;
|
||
|
|
|
||
|
|
namespace AIStudio;
|
||
|
|
|
||
|
|
internal static class FileHandler
|
||
|
|
{
|
||
|
|
private const string ENDPOINT = "/local/file";
|
||
|
|
|
||
|
|
private static readonly ILogger LOGGER = Program.LOGGER_FACTORY.CreateLogger(nameof(FileHandler));
|
||
|
|
|
||
|
|
internal static string CreateFileUrl(string filePath)
|
||
|
|
{
|
||
|
|
var encodedPath = Uri.EscapeDataString(filePath);
|
||
|
|
return $"{ENDPOINT}?path={encodedPath}";
|
||
|
|
}
|
||
|
|
|
||
|
|
internal static async Task HandlerAsync(HttpContext context, Func<Task> nextHandler)
|
||
|
|
{
|
||
|
|
var requestPath = context.Request.Path.Value;
|
||
|
|
if (string.IsNullOrWhiteSpace(requestPath) || !requestPath.Equals(ENDPOINT, StringComparison.Ordinal))
|
||
|
|
{
|
||
|
|
await nextHandler();
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
// Extract the file path from the query parameter:
|
||
|
|
// Format: /local/file?path={url-encoded-path}
|
||
|
|
if (!context.Request.Query.TryGetValue("path", out var pathValues) || pathValues.Count == 0)
|
||
|
|
{
|
||
|
|
context.Response.StatusCode = StatusCodes.Status400BadRequest;
|
||
|
|
LOGGER.LogWarning("No file path provided in the request. Using ?path={{url-encoded-path}} format.");
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
// The query parameter is automatically URL-decoded by ASP.NET Core:
|
||
|
|
var filePath = pathValues[0];
|
||
|
|
if (string.IsNullOrWhiteSpace(filePath))
|
||
|
|
{
|
||
|
|
context.Response.StatusCode = StatusCodes.Status400BadRequest;
|
||
|
|
LOGGER.LogWarning("Empty file path provided in the request.");
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
// Security check: Prevent path traversal attacks:
|
||
|
|
var fullPath = Path.GetFullPath(filePath);
|
||
|
|
if (fullPath != filePath && !filePath.StartsWith('/'))
|
||
|
|
{
|
||
|
|
// On Windows, absolute paths may differ, so we do an additional check
|
||
|
|
// to ensure no path traversal sequences are present:
|
||
|
|
if (filePath.Contains(".."))
|
||
|
|
{
|
||
|
|
context.Response.StatusCode = StatusCodes.Status403Forbidden;
|
||
|
|
LOGGER.LogWarning("Path traversal attempt detected: {FilePath}", filePath);
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
// Check if the file exists:
|
||
|
|
if (!File.Exists(filePath))
|
||
|
|
{
|
||
|
|
context.Response.StatusCode = StatusCodes.Status404NotFound;
|
||
|
|
LOGGER.LogWarning("Requested file not found: '{FilePath}'", filePath);
|
||
|
|
return;
|
||
|
|
}
|
||
|
|
|
||
|
|
// Determine the content type:
|
||
|
|
var contentTypeProvider = new FileExtensionContentTypeProvider();
|
||
|
|
if (!contentTypeProvider.TryGetContentType(filePath, out var contentType))
|
||
|
|
contentType = "application/octet-stream";
|
||
|
|
|
||
|
|
// Set response headers:
|
||
|
|
context.Response.ContentType = contentType;
|
||
|
|
context.Response.Headers.ContentDisposition = $"inline; filename=\"{Path.GetFileName(filePath)}\"";
|
||
|
|
|
||
|
|
// Stream the file to the response:
|
||
|
|
await using var fileStream = new FileStream(filePath, FileMode.Open, FileAccess.Read, FileShare.Read, bufferSize: 64 * 1024, useAsync: true);
|
||
|
|
context.Response.ContentLength = fileStream.Length;
|
||
|
|
await fileStream.CopyToAsync(context.Response.Body);
|
||
|
|
}
|
||
|
|
}
|