Allow to disable the NoPrivateNetwork protection for attachment downloads via an env variable

Author: jbtronics

.env

@@ -121,6 +121,10 @@ SAML_SP_PRIVATE_KEY="MIIE..."
 # In demo mode things it is not possible for a user to change his password and his settings.
 DEMO_MODE=0
 
+# When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file.
+# This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network.
+ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK=0
+
 # Change this to true, if no url rewriting (like mod_rewrite for Apache) is available
 # In that case all URL contains the index.php front controller in URL
 NO_URL_REWRITE_AVAILABLE=0

config/parameters.yaml

@@ -105,6 +105,8 @@ parameters:
 
   env(DATABASE_EMULATE_NATURAL_SORT): 0
 
+  env(ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK): 0
+
   ######################################################################################################################
   # Bulk Info Provider Import Configuration
   ######################################################################################################################

docs/configuration.md

@@ -86,6 +86,7 @@ bundled with Part-DB. Set `DATABASE_MYSQL_SSL_VERIFY_CERT` if you want to accept
 * `ATTACHMENT_DOWNLOAD_BY_DEFAULT`: When this is set to 1, the "download external file" checkbox is checked by default
   when adding a new attachment. Otherwise, it is unchecked by default. Use this if you wanna download all attachments
   locally by default. Attachment download is only possible, when `ALLOW_ATTACHMENT_DOWNLOADS` is set to 1.
+* `ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK` (default `0`): When this is set to 1, users can make Part-DB directly download a file specified as a URL from the local network and create it as a local file. This allows users access to all resources available in the local network, which could be a security risk, so use this only if you trust your users and have a secure local network.
 * `ATTACHMENT_SHOW_HTML_FILES`: When enabled, user uploaded HTML attachments can be viewed directly in the browser. 
   Many potential malicious functions are restricted, still this is a potential security risk and should only be enabled,
   if you trust the users who can upload files. When set to 0, HTML files are rendered as plain text.

src/Services/Attachments/AttachmentSubmitHandler.php

@@ -44,6 +44,7 @@
 use App\Settings\SystemSettings\AttachmentsSettings;
 use Hshn\Base64EncodedFile\HttpFoundation\File\Base64EncodedFile;
 use Hshn\Base64EncodedFile\HttpFoundation\File\UploadedBase64EncodedFile;
+use Symfony\Component\DependencyInjection\Attribute\Autowire;
 use Symfony\Component\HttpClient\NoPrivateNetworkHttpClient;
 use const DIRECTORY_SEPARATOR;
 use InvalidArgumentException;
@@ -77,6 +78,8 @@ public function __construct(
         protected FileTypeFilterTools $filterTools,
         protected AttachmentsSettings $settings,
         protected readonly SVGSanitizer $SVGSanitizer,
+        #[Autowire(env: "bool:ALLOW_ATTACHMENT_DOWNLOADS_FROM_LOCALNETWORK")]
+        private readonly bool $allow_local_network_downloads = false,
     )
     {
         //The mapping used to determine which folder will be used for an attachment type
@@ -97,7 +100,9 @@ public function __construct(
             LabelAttachment::class => 'label_profile',
         ];
 
-        $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
+        if (!$this->allow_local_network_downloads) {
+            $this->httpClient = new NoPrivateNetworkHttpClient($this->httpClient);
+        }
     }
 
     /**