From bfbccbede14853c68edecf5dd5d08a50a6ed5c9d Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Mon, 1 Nov 2021 11:32:00 +0000
Subject: [PATCH] Updated attachments to not be saved with a complete extension

Intended to limit impact in the event the storage path is potentially
exposed.
---
 app/Auth/User.php                 | 2 +-
 app/Uploads/AttachmentService.php | 2 +-
 app/Uploads/ImageService.php      | 2 +-
 tests/Uploads/AttachmentTest.php  | 3 ++-
 4 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/Auth/User.php b/app/Auth/User.php
index 0a6849fe0..da47a9d69 100644
--- a/app/Auth/User.php
+++ b/app/Auth/User.php
@@ -27,7 +27,7 @@ use Illuminate\Support\Collection;
 /**
  * Class User.
  *
- * @property string     $id
+ * @property int        $id
  * @property string     $name
  * @property string     $slug
  * @property string     $email
diff --git a/app/Uploads/AttachmentService.php b/app/Uploads/AttachmentService.php
index c9cd99b38..52954d24f 100644
--- a/app/Uploads/AttachmentService.php
+++ b/app/Uploads/AttachmentService.php
@@ -216,7 +216,7 @@ class AttachmentService
         $storage = $this->getStorageDisk();
         $basePath = 'uploads/files/' . date('Y-m-M') . '/';
 
-        $uploadFileName = Str::random(16) . '.' . $uploadedFile->getClientOriginalExtension();
+        $uploadFileName = Str::random(16) . '-' . $uploadedFile->getClientOriginalExtension();
         while ($storage->exists($this->adjustPathForStorageDisk($basePath . $uploadFileName))) {
             $uploadFileName = Str::random(3) . $uploadFileName;
         }
diff --git a/app/Uploads/ImageService.php b/app/Uploads/ImageService.php
index eb2fc57b8..0c3dfc47d 100644
--- a/app/Uploads/ImageService.php
+++ b/app/Uploads/ImageService.php
@@ -11,11 +11,11 @@ use Illuminate\Contracts\Filesystem\FileNotFoundException;
 use Illuminate\Contracts\Filesystem\Filesystem as FileSystemInstance;
 use Illuminate\Contracts\Filesystem\Filesystem as Storage;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Str;
 use Intervention\Image\Exception\NotSupportedException;
 use Intervention\Image\ImageManager;
 use League\Flysystem\Util;
-use Log;
 use Psr\SimpleCache\InvalidArgumentException;
 use Symfony\Component\HttpFoundation\File\UploadedFile;
 use Symfony\Component\HttpFoundation\StreamedResponse;
diff --git a/tests/Uploads/AttachmentTest.php b/tests/Uploads/AttachmentTest.php
index 26f092bcc..1682577bf 100644
--- a/tests/Uploads/AttachmentTest.php
+++ b/tests/Uploads/AttachmentTest.php
@@ -109,7 +109,8 @@ class AttachmentTest extends TestCase
 
         $attachment = Attachment::query()->orderBy('id', 'desc')->first();
         $this->assertStringNotContainsString($fileName, $attachment->path);
-        $this->assertStringEndsWith('.txt', $attachment->path);
+        $this->assertStringEndsWith('-txt', $attachment->path);
+        $this->deleteUploads();
     }
 
     public function test_file_display_and_access()