ファイルアップロード可能な機能を制限するオプションを追加

.env.dist

@@ -50,5 +50,6 @@ MAILER_DSN=null://null
 #ECCUBE_2FA_ENABLED=true
 #ECCUBE_2FA_COOKIE_NAME=eccube_2fa
 #ECCUBE_2FA_EXPIRE=14
+#ECCUBE_RESTRICT_FILE_UPLOAD=0
 
 ###< APPLICATION CONFIG ###

app/config/eccube/packages/eccube.yaml

@@ -17,6 +17,7 @@ parameters:
     env(ECCUBE_2FA_ENABLED): '1'
     env(ECCUBE_2FA_COOKIE_NAME): 'eccube_2fa'
     env(ECCUBE_2FA_EXPIRE): '14'
+    env(ECCUBE_RESTRICT_FILE_UPLOAD): '0'
 
     # EC-CUBE parameter
     eccube_database_url: '%env(DATABASE_URL)%'
@@ -136,3 +137,14 @@ parameters:
     eccube_2fa_enabled: '%env(ECCUBE_2FA_ENABLED)%'
     eccube_2fa_cookie_name: '%env(ECCUBE_2FA_COOKIE_NAME)%'
     eccube_2fa_expire: '%env(ECCUBE_2FA_EXPIRE)%'
+    eccube_restrict_file_upload: '%env(ECCUBE_RESTRICT_FILE_UPLOAD)%' # ファイルアップロード可能な機能を制限する
+    eccube_restrict_file_upload_urls: # ファイルアップロードを制限するURL
+      - admin_content_file
+      - admin_store_plugin_install
+      - admin_content_page_new
+      - admin_content_page_edit
+      - admin_content_block_new
+      - admin_content_block_edit
+      - admin_content_css
+      - admin_content_js
+      - admin_store_template_install

src/Eccube/Controller/Admin/Content/BlockController.php

@@ -83,6 +83,8 @@ public function index(Request $request)
      */
     public function edit(Request $request, Environment $twig, FileSystem $fs, CacheUtil $cacheUtil, $id = null)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         $DeviceType = $this->deviceTypeRepository
             ->find(DeviceType::DEVICE_TYPE_PC);
 

src/Eccube/Controller/Admin/Content/CssController.php

@@ -30,6 +30,8 @@ class CssController extends AbstractController
      */
     public function index(Request $request)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         $builder = $this->formFactory
             ->createBuilder(FormType::class)
             ->add('css', TextareaType::class, [

src/Eccube/Controller/Admin/Content/FileController.php

@@ -27,6 +27,7 @@
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\ResponseHeaderBag;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
 use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
 use Symfony\Component\HttpKernel\Exception\UnsupportedMediaTypeHttpException;
 use Symfony\Component\Routing\Annotation\Route;
@@ -56,6 +57,8 @@ public function __construct()
      */
     public function index(Request $request)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         $form = $this->formFactory->createBuilder(FormType::class)
             ->add('file', FileType::class, [
                 'multiple' => true,

src/Eccube/Controller/Admin/Content/JsController.php

@@ -30,6 +30,8 @@ class JsController extends AbstractController
      */
     public function index(Request $request)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         $builder = $this->formFactory
             ->createBuilder(FormType::class)
             ->add('js', TextareaType::class, [

src/Eccube/Controller/Admin/Content/PageController.php

@@ -93,6 +93,8 @@ public function index(Request $request, RouterInterface $router)
      */
     public function edit(Request $request, Environment $twig, RouterInterface $router, CacheUtil $cacheUtil, $id = null)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         if (null === $id) {
             $Page = $this->pageRepository->newPage();
         } else {

src/Eccube/Controller/Admin/Store/PluginController.php

@@ -485,6 +485,8 @@ public function uninstall(Plugin $Plugin, CacheUtil $cacheUtil)
      */
     public function install(Request $request, CacheUtil $cacheUtil)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         $form = $this->formFactory
             ->createBuilder(PluginLocalInstallType::class)
             ->getForm();

src/Eccube/Controller/Admin/Store/TemplateController.php

@@ -219,6 +219,8 @@ public function delete(Request $request, \Eccube\Entity\Template $Template)
      */
     public function install(Request $request)
     {
+        $this->addInfo('admin.common.restrict_file_upload_info', 'admin');
+
         $form = $this->formFactory
             ->createBuilder(TemplateType::class)
             ->getForm();

src/Eccube/EventListener/RestrictFileUploadListener.php

@@ -0,0 +1,64 @@
+<?php
+
+/*
+ * This file is part of EC-CUBE
+ *
+ * Copyright(c) EC-CUBE CO.,LTD. All Rights Reserved.
+ *
+ * http://www.ec-cube.co.jp/
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Eccube\EventListener;
+
+use Eccube\Common\EccubeConfig;
+use Eccube\Request\Context;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ControllerEvent;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class RestrictFileUploadListener implements EventSubscriberInterface
+{
+    /**
+     * @var EccubeConfig
+     */
+    protected $eccubeConfig;
+
+    /**
+     * @var Context
+     */
+    protected $requestContext;
+
+    public function __construct(EccubeConfig $eccubeConfig, Context $requestContext)
+    {
+        $this->eccubeConfig = $eccubeConfig;
+        $this->requestContext = $requestContext;
+    }
+
+    public function onKernelRequest(RequestEvent $event)
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        if (!$this->requestContext->isAdmin()) {
+            return;
+        }
+
+        $route = $event->getRequest()->attributes->get('_route');
+        $restrictUrls = $this->eccubeConfig['eccube_restrict_file_upload_urls'];
+        if ($this->eccubeConfig['eccube_restrict_file_upload'] === '1' && in_array($route, $restrictUrls)) {
+            throw new AccessDeniedHttpException(trans('exception.error_message_restrict_url'));
+        }
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            'kernel.request' => ['onKernelRequest', 7] // RouterListener より必ず後で実行する
+        ];
+    }
+}

src/Eccube/EventListener/TwigInitializeListener.php

@@ -266,6 +266,8 @@ public function setAdminGlobals(RequestEvent $event)
      */
     private function getDisplayEccubeNav($parentNav, $AuthorityRoles, $baseUrl)
     {
+        $restrictUrls = $this->eccubeConfig['eccube_restrict_file_upload_urls'];
+
         foreach ($parentNav as $key => $childNav) {
             if (array_key_exists('children', $childNav) && count($childNav['children']) > 0) {
                 // 子のメニューがある場合は子の権限チェック
@@ -287,6 +289,10 @@ private function getDisplayEccubeNav($parentNav, $AuthorityRoles, $baseUrl)
                         break;
                     }
                 }
+
+                if ($this->eccubeConfig['eccube_restrict_file_upload'] === '1' && in_array($childNav['url'], $restrictUrls)) {
+                    unset($parentNav[$key]);
+                }
             }
         }
 

src/Eccube/Resource/locale/messages.en.yaml

@@ -497,6 +497,7 @@ admin.common.move_to_confirm_message: 'Will move to %name% Setting page. Do you
 admin.common.move_to_confirm_move_only: Move
 admin.common.move_to_confirm_save_and_move: Save & Move
 admin.common.admin_url_warning: 'Please set the Admin Console URL that is hard to guess for security. You can set it at "<a href="%url%">Security</a>".'
+admin.common.restrict_file_upload_info: 'If this feature is used infrequently, disabling it while not in use provides additional security. You can disable this feature by setting the environment variable ECCUBE_RESTRICT_FILE_UPLOAD to 1.'
 
 
 # Labels related to entity
@@ -1772,6 +1773,7 @@ exception.error_title_can_not_access: Unable to access.
 exception.error_message_can_not_access: The page you reached is not available. It may have been moved or deleted.
 exception.error_title_not_found: Page not found.
 exception.error_message_not_found: Please check if the URL is correct.
+exception.error_message_restrict_url: This functionality is restricted by the administrator.
 
 #------------------------------------------------------------------------------------
 # Purchase Flow

src/Eccube/Resource/locale/messages.ja.yaml

@@ -497,6 +497,7 @@ admin.common.move_to_confirm_message: '%name%に移動します。編集内容
 admin.common.move_to_confirm_move_only: 保存せずに移動
 admin.common.move_to_confirm_save_and_move: 保存して移動
 admin.common.admin_url_warning: '管理画面URLは、セキュリティのため推測されにくいものを設定してください。「<a href="%url%">セキュリティ管理</a>」から設定できます。'
+admin.common.restrict_file_upload_info: 'この機能の利用頻度が低い場合、使用しない間は無効化することでセキュリティを更に向上させることができます。環境変数 ECCUBE_RESTRICT_FILE_UPLOAD を 1 に設定することで機能を無効化することが可能です。'
 
 
 # エンティティに関連するラベル
@@ -1772,6 +1773,7 @@ exception.error_title_can_not_access: アクセスできません。
 exception.error_message_can_not_access: お探しのページはアクセスができない状況にあるか、移動もしくは削除された可能性があります。
 exception.error_title_not_found: ページがみつかりません。
 exception.error_message_not_found: URLに間違いがないかご確認ください。
+exception.error_message_restrict_url: この機能は管理者によって制限されています。
 
 #------------------------------------------------------------------------------------
 # PurchaseFlow