From 582698bd03235a7ee1b458865bd0b32fa368d369 Mon Sep 17 00:00:00 2001
From: Suven-p <pandeysuven@gmail.com>
Date: Thu, 18 May 2023 00:41:07 +0545
Subject: [PATCH 1/3] Validate value of x-appwrite-id header

---
 app/config/errors.php             | 5 +++++
 app/controllers/api/storage.php   | 5 +++++
 src/Appwrite/Extend/Exception.php | 1 +
 3 files changed, 11 insertions(+)

diff --git a/app/config/errors.php b/app/config/errors.php
index 1361207a1d..078a620168 100644
--- a/app/config/errors.php
+++ b/app/config/errors.php
@@ -318,6 +318,11 @@ return [
         'description' => 'The requested range is not satisfiable. Please check the value of the Range header.',
         'code' => 416,
     ],
+    Exception::STORAGE_INVALID_APPWRITE_ID => [
+        'name' => Exception::STORAGE_INVALID_APPWRITE_ID,
+        'description' => 'The value for x-appwrite-id header is invalid. Please check the value of the x-appwrite-id header is valid id and not unique().',
+        'code' => 400,
+    ],
 
     /** Functions  */
     Exception::FUNCTION_NOT_FOUND => [
diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php
index d59d950d93..b8a249f654 100644
--- a/app/controllers/api/storage.php
+++ b/app/controllers/api/storage.php
@@ -449,6 +449,11 @@ App::post('/v1/storage/buckets/:bucketId/files')
                 throw new Exception(Exception::STORAGE_INVALID_CONTENT_RANGE);
             }
 
+            $idValidator = new UID();
+            if (!$idValidator->isValid($request->getHeader('x-appwrite-id'))) {
+                throw new Exception(Exception::STORAGE_INVALID_APPWRITE_ID);
+            }
+
             if ($end === $fileSize) {
                 //if it's a last chunks the chunk size might differ, so we set the $chunks and $chunk to -1 notify it's last chunk
                 $chunks = $chunk = -1;
diff --git a/src/Appwrite/Extend/Exception.php b/src/Appwrite/Extend/Exception.php
index ed7194125c..05caa75c63 100644
--- a/src/Appwrite/Extend/Exception.php
+++ b/src/Appwrite/Extend/Exception.php
@@ -106,6 +106,7 @@ class Exception extends \Exception
     public const STORAGE_BUCKET_NOT_FOUND          = 'storage_bucket_not_found';
     public const STORAGE_INVALID_CONTENT_RANGE     = 'storage_invalid_content_range';
     public const STORAGE_INVALID_RANGE             = 'storage_invalid_range';
+    public const STORAGE_INVALID_APPWRITE_ID       = 'storage_invalid_appwrite_id';
 
     /** Functions */
     public const FUNCTION_NOT_FOUND                = 'function_not_found';

From 5108ab7b061ffb1846b1cbdbd3077110e026482c Mon Sep 17 00:00:00 2001
From: Suven-p <pandeysuven@gmail.com>
Date: Sun, 21 May 2023 15:43:26 +0000
Subject: [PATCH 2/3] Add test for x-appwrite-id = unique()

---
 tests/e2e/Services/Storage/StorageBase.php | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/tests/e2e/Services/Storage/StorageBase.php b/tests/e2e/Services/Storage/StorageBase.php
index 3169077f99..88a09fe66f 100644
--- a/tests/e2e/Services/Storage/StorageBase.php
+++ b/tests/e2e/Services/Storage/StorageBase.php
@@ -240,6 +240,29 @@ trait StorageBase
 
         $this->assertEquals(400, $failedBucket['headers']['status-code']);
 
+        /**
+         * Test for FAILURE set x-appwrite-id to unique()
+         */
+        $source = realpath(__DIR__ . '/../../../resources/logo.png');
+        $totalSize = \filesize($source);
+        $res = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', array_merge([
+            'content-type' => 'multipart/form-data',
+            'x-appwrite-project' => $this->getProject()['$id'],
+            'content-range' => 'bytes 0-' . $size. '/' . $size,
+            'x-appwrite-id' => 'unique()',
+        ], $this->getHeaders()), [
+            'fileId' => ID::unique(),
+            'file' => new CURLFile($source, 'image/png', 'logo.png'),
+            'permissions' => [
+                Permission::read(Role::any()),
+                Permission::update(Role::any()),
+                Permission::delete(Role::any()),
+            ],
+        ]);
+
+        $this->assertEquals(400, $res['headers']['status-code']);
+        $this->assertEquals('The value for x-appwrite-id header is invalid. Please check the value of the x-appwrite-id header is valid id and not unique().', $res['body']['message']);
+
         return ['bucketId' => $bucketId, 'fileId' => $file['body']['$id'],  'largeFileId' => $largeFile['body']['$id'], 'largeBucketId' => $bucket2['body']['$id']];
     }
 

From 42b2587b6da7eaf8bf17b7519d7efc4aeba18d7b Mon Sep 17 00:00:00 2001
From: Suven-p <pandeysuven@gmail.com>
Date: Sat, 27 May 2023 22:54:00 +0545
Subject: [PATCH 3/3] Fix linting error

---
 tests/e2e/Services/Storage/StorageBase.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/e2e/Services/Storage/StorageBase.php b/tests/e2e/Services/Storage/StorageBase.php
index 88a09fe66f..62b49e62f3 100644
--- a/tests/e2e/Services/Storage/StorageBase.php
+++ b/tests/e2e/Services/Storage/StorageBase.php
@@ -248,7 +248,7 @@ trait StorageBase
         $res = $this->client->call(Client::METHOD_POST, '/storage/buckets/' . $bucketId . '/files', array_merge([
             'content-type' => 'multipart/form-data',
             'x-appwrite-project' => $this->getProject()['$id'],
-            'content-range' => 'bytes 0-' . $size. '/' . $size,
+            'content-range' => 'bytes 0-' . $size . '/' . $size,
             'x-appwrite-id' => 'unique()',
         ], $this->getHeaders()), [
             'fileId' => ID::unique(),