From 7f9b44d6a54b85de076ecdac5c4168e4d7f5b8b7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Fri, 21 Jun 2024 11:37:47 +0200
Subject: [PATCH] fix: Ignore preview requests for invalid file ids
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 apps/files/lib/Controller/ApiController.php       |  4 ++++
 apps/files/tests/Controller/ApiControllerTest.php | 12 ++++++++++++
 core/Controller/PreviewController.php             |  4 ++++
 tests/Core/Controller/PreviewControllerTest.php   |  1 +
 4 files changed, 21 insertions(+)

diff --git a/apps/files/lib/Controller/ApiController.php b/apps/files/lib/Controller/ApiController.php
index 285857c9a19..6ccdefa7537 100644
--- a/apps/files/lib/Controller/ApiController.php
+++ b/apps/files/lib/Controller/ApiController.php
@@ -123,6 +123,10 @@ class ApiController extends Controller {
 				throw new NotFoundException();
 			}
 
+			if ($file->getId() <= 0) {
+				return new DataResponse(['message' => 'File not found.'], Http::STATUS_NOT_FOUND);
+			}
+
 			/** @var File $file */
 			$preview = $this->previewManager->getPreview($file, $x, $y, true);
 
diff --git a/apps/files/tests/Controller/ApiControllerTest.php b/apps/files/tests/Controller/ApiControllerTest.php
index 269977350f7..1e574e16d04 100644
--- a/apps/files/tests/Controller/ApiControllerTest.php
+++ b/apps/files/tests/Controller/ApiControllerTest.php
@@ -177,6 +177,7 @@ class ApiControllerTest extends TestCase {
 
 	public function testGetThumbnailInvalidImage() {
 		$file = $this->createMock(File::class);
+		$file->method('getId')->willReturn(123);
 		$this->userFolder->method('get')
 			->with($this->equalTo('unknown.jpg'))
 			->willReturn($file);
@@ -188,8 +189,19 @@ class ApiControllerTest extends TestCase {
 		$this->assertEquals($expected, $this->apiController->getThumbnail(10, 10, 'unknown.jpg'));
 	}
 
+	public function testGetThumbnailInvalidPartFile() {
+		$file = $this->createMock(File::class);
+		$file->method('getId')->willReturn(0);
+		$this->userFolder->method('get')
+			->with($this->equalTo('unknown.jpg'))
+			->willReturn($file);
+		$expected = new DataResponse(['message' => 'File not found.'], Http::STATUS_NOT_FOUND);
+		$this->assertEquals($expected, $this->apiController->getThumbnail(10, 10, 'unknown.jpg'));
+	}
+
 	public function testGetThumbnail() {
 		$file = $this->createMock(File::class);
+		$file->method('getId')->willReturn(123);
 		$this->userFolder->method('get')
 			->with($this->equalTo('known.jpg'))
 			->willReturn($file);
diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php
index 7adec03814c..a28fea726de 100644
--- a/core/Controller/PreviewController.php
+++ b/core/Controller/PreviewController.php
@@ -159,6 +159,10 @@ class PreviewController extends Controller {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		if ($node->getId() <= 0) {
+			return new DataResponse([], Http::STATUS_NOT_FOUND);
+		}
+
 		$storage = $node->getStorage();
 		if ($storage->instanceOfStorage(SharedStorage::class)) {
 			/** @var SharedStorage $storage */
diff --git a/tests/Core/Controller/PreviewControllerTest.php b/tests/Core/Controller/PreviewControllerTest.php
index 1f8cfff1172..d8d1601f873 100644
--- a/tests/Core/Controller/PreviewControllerTest.php
+++ b/tests/Core/Controller/PreviewControllerTest.php
@@ -204,6 +204,7 @@ class PreviewControllerTest extends \Test\TestCase {
 			->willReturn($userFolder);
 
 		$file = $this->createMock(File::class);
+		$file->method('getId')->willReturn(123);
 		$userFolder->method('get')
 			->with($this->equalTo('file'))
 			->willReturn($file);