[SECURITY] Add hmac validation to file downloads in be module

It was possible to download an arbitrary file from a TYPO3
installation using the download link in the powermail module.
This commits adds a hmac to the link and validates it before
starting the download.

Author: mschwemer

Classes/Controller/ModuleController.php

@@ -353,10 +353,10 @@ protected function checkAdminPermissions(): ?ResponseInterface
     public function downloadFile(ServerRequestInterface $request): ?ResponseInterface
     {
         $queryParams = $request->getQueryParams();
-        if (array_key_exists('file', $queryParams)) {
+        if (array_key_exists('file', $queryParams) && array_key_exists('hmac', $queryParams)) {
             $fileName = basename($queryParams['file']);
             $absoluteFileName = GeneralUtility::getFileAbsFileName($queryParams['file']);
-            if (is_file($absoluteFileName)) {
+            if (is_file($absoluteFileName) && $this->isValidHmac($absoluteFileName, $queryParams['hmac'])) {
                 (mime_content_type($absoluteFileName) === false) ? $mimeType = '' : $mimeType = mime_content_type($absoluteFileName);
                 return $this->responseFactory->createResponse()
                     ->withHeader('Content-Type', $mimeType)
@@ -367,4 +367,10 @@ public function downloadFile(ServerRequestInterface $request): ?ResponseInterfac
 
         return new ForwardResponse('list');
     }
+
+    protected function isValidHmac(string $fileName, string $hmacFromQuery): bool
+    {
+        $hmacGenerated = BasicFileUtility::getHmacForFile($fileName);
+        return hash_equals($hmacGenerated, $hmacFromQuery);
+    }
 }

Classes/Utility/BasicFileUtility.php

@@ -81,4 +81,9 @@ public static function getRelativeFolder(string $path): string
 
         return $path;
     }
+
+    public static function getHmacForFile(string $file): string
+    {
+        return GeneralUtility::hmac($file, '_powermail');
+    }
 }

Classes/ViewHelpers/Misc/GetHmacForFileViewHelper.php

@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace In2code\Powermail\ViewHelpers\Misc;
+
+use In2code\Powermail\Utility\BasicFileUtility;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3Fluid\Fluid\Core\ViewHelper\AbstractTagBasedViewHelper;
+
+/**
+ * Get Upload Path ViewHelper
+ */
+class GetHmacForFileViewHelper extends AbstractTagBasedViewHelper
+{
+    protected string $uploadPathFallback = 'uploads/tx_powermail/';
+
+    public function initializeArguments(): void
+    {
+        parent::initializeArguments();
+        $this->registerArgument('fileName', 'string', 'Filename like "picture.jpg"', true);
+        $this->registerArgument('path', 'string', 'Path like "fileadmin/powermail/uploads/"', true);
+    }
+
+    public function render(): string
+    {
+        $fileName = $this->arguments['fileName'] ?? '';
+        $path = $this->arguments['path'] ?? $this->uploadPathFallback;
+
+        $absFileName = GeneralUtility::getFileAbsFileName($path . $fileName);
+
+        return BasicFileUtility::getHmacForFile($absFileName);
+    }
+}

Resources/Private/Partials/Module/List.html

@@ -221,8 +221,7 @@
 																		</f:else>
 																	</f:if>
 																</a>
-
-																<a href="{be:moduleLink(route:'powermail_downloadfile', arguments:'{file: \'{settings.uploadPath}{subValue}\'}')}" download>
+																<a href="{be:moduleLink(route:'powermail_downloadfile', arguments:'{file: \'{settings.uploadPath}{subValue}\', hmac: \'{vh:misc.getHmacForFile(fileName:subValue, path:settings.uploadPath)}\'}')}" download>
 																	Download
 																</a>
 															</div>