feat(assets): file upload extension validation (#391)

Co-authored-by: Anthony Fu <anthonyfu117@hotmail.com>

Author: arashsheyda

packages/devtools-kit/src/_types/options.ts

@@ -52,7 +52,7 @@ export interface ModuleOptions {
    */
   experimental?: {
     /**
-     * Timline tab
+     * Timeline tab
      * @deprecated Use `timeline.enable` instead
      */
     timeline?: boolean
@@ -83,6 +83,21 @@ export interface ModuleOptions {
     }
   }
 
+  /**
+   * Options for assets tab
+   */
+  assets?: {
+    /**
+     * Allowed file extensions for assets tab to upload.
+     * To security concern.
+     *
+     * Set to '*' to disbale this limitation entirely
+     *
+     * @default Common media and txt files
+     */
+    uploadExtensions?: '*' | string[]
+  }
+
   /**
    * Enable anonymous telemetry, helping us improve Nuxt DevTools.
    *

packages/devtools-ui-kit/src/components/NDropdown.vue

@@ -2,7 +2,12 @@
 import { ref } from 'vue'
 import { onClickOutside, useVModel } from '@vueuse/core'
 
-const props = defineProps<{ modelValue?: boolean }>()
+const props = withDefaults(defineProps<{
+  modelValue?: boolean
+  direction?: 'start' | 'end'
+}>(), {
+  direction: 'start',
+})
 const emit = defineEmits<{ (...args: any): void }>()
 
 const enabled = useVModel(props, 'modelValue', emit, { passive: true })
@@ -23,7 +28,7 @@ onClickOutside(el, () => {
 
     <div
       class="absolute z-10 border n-border-base rounded shadow n-transition n-bg-base"
-      :class="[enabled ? 'op-100' : 'op0 pointer-events-none -translate-y-1']"
+      :class="[enabled ? 'op-100' : 'op0 pointer-events-none -translate-y-1', direction === 'end' ? 'right-0' : 'left-0']"
     >
       <slot />
     </div>

packages/devtools/client/components/AssetDropZone.vue

@@ -2,18 +2,20 @@
 import type { AssetEntry } from '~/../src/types'
 
 const props = defineProps({
+  modelValue: {
+    type: Boolean,
+    required: true,
+  },
   folder: {
     type: String,
     required: true,
   },
 })
 
-const visible = ref(false)
+const visible = useVModel(props, 'modelValue')
 const lastTarget = ref()
 
 const files = ref<File[]>([])
-// TODO: add option to user to choose types
-const uploadTypes: string[] = ['image', 'video']
 
 function onDragEnter(e: DragEvent) {
   lastTarget.value = e.target
@@ -57,16 +59,7 @@ function setFiles(data: FileList | null) {
             classes: 'text-orange',
           })
         }
-        else if (uploadTypes.some(type => file.type.includes(type))) {
-          newFiles.push(file)
-        }
-        else {
-          devtoolsUiShowNotification({
-            message: `"${file.type}" file type is not allowed`,
-            icon: 'carbon:face-dissatisfied',
-            classes: 'text-orange',
-          })
-        }
+        newFiles.push(file)
       }
     }
     files.value = [...files.value, ...newFiles]
@@ -101,10 +94,9 @@ async function uploadFiles() {
       icon: 'i-carbon:checkmark',
     })
   }).catch((error) => {
-    console.error(error)
     close()
     devtoolsUiShowNotification({
-      message: `Error uploading files: ${error}`,
+      message: `Error uploading files: ${error?.message ?? 'unknown'}`,
       icon: 'i-carbon-warning',
       classes: 'text-red',
     })
@@ -156,13 +148,15 @@ useEventListener('drop', onDrop)
     :class="visible ? 'opacity-100 visible' : 'opacity-0 invisible'"
   >
     <NButton
+      v-tooltip.bottom-end="'Close'"
       icon="carbon-close"
+      title="Close"
       absolute right-5 top-5 z-20 text-xl
       :border="false"
       @click="close"
     />
     <div v-if="!files?.length" h-full w-full flex items-center justify-center>
-      <label for="drop-zone-input" text-3xl>
+      <label for="drop-zone-input" text-3xl hover="text-green cursor-pointer" transition-all>
         <NIcon icon="carbon-cloud-upload" mr-2 /> Drop files here or click to select
       </label>
       <input
@@ -179,7 +173,7 @@ useEventListener('drop', onDrop)
           Drag and drop files to upload
         </p>
       </div>
-      <div grid="~ cols-minmax-8rem" overflow-auto p6>
+      <div grid="~ cols-minmax-8rem gap-8" overflow-auto p6>
         <div
           v-for="file, index of files" :key="file.name"
           flex="~ col gap-2" relative h-50 w-40 items-center

packages/devtools/client/pages/modules/assets.vue

@@ -10,6 +10,7 @@ definePageMeta({
 })
 
 const assets = useStaticAssets()
+const dropzone = ref(false)
 const search = ref('')
 
 const fuse = computed(() => new Fuse(assets.value || [], {
@@ -18,11 +19,24 @@ const fuse = computed(() => new Fuse(assets.value || [], {
   ],
 }))
 
+const extensions = reactiveComputed(() => {
+  const results: { name: string; value: boolean }[] = []
+  for (const asset of assets.value || []) {
+    const ext = asset.path.split('.').pop()
+    if (ext && !results.find(e => e.name === ext))
+      results.push({ name: ext, value: true })
+  }
+  return results
+})
+
 const filtered = computed(() => {
   const result = search.value
     ? fuse.value.search(search.value).map(i => i.item)
     : (assets.value || [])
-  return result
+  return result.filter((asset) => {
+    const ext = asset.path.split('.').pop()
+    return !ext || extensions.some(e => e.name === ext && e.value)
+  })
 })
 
 const byFolders = computed(() => {
@@ -81,7 +95,40 @@ const navbar = ref<HTMLElement>()
   <div h-full of-auto>
     <NNavbar ref="navbar" v-model:search="search" pb2>
       <template #actions>
-        <div flex-none flex="~ gap2 items-center">
+        <div flex-none flex="~ gap2 items-center" text-lg>
+          <NButton
+            v-tooltip.bottom-end="'File Upload'"
+            icon="carbon:cloud-upload"
+            title="File Upload" :border="false"
+            @click="dropzone = !dropzone"
+          />
+          <NDropdown v-if="extensions.length" direction="end" n="sm primary">
+            <template #trigger="{ click }">
+              <NButton
+                v-tooltip.bottom-end="'Filter'"
+                icon="carbon-filter" :border="false"
+                title="Filter" p3 text-lg
+                @click="click()"
+              />
+              <span flex="~ items-center justify-center" absolute bottom--1 right--1 h-4 w-4 rounded-full bg-primary:30 text-8px>
+                {{ extensions.length }}
+              </span>
+            </template>
+            <div flex="~ col" w-30 of-auto>
+              <NCheckbox
+                v-for="item of extensions"
+                :key="item.name"
+                v-model="item.value"
+                flex="~ gap-2"
+                rounded
+                px2 py2
+              >
+                <span text-xs op75>
+                  {{ item.name }}
+                </span>
+              </NCheckbox>
+            </div>
+          </NDropdown>
           <NButton
             v-tooltip.bottom-end="'Toggle View'"
             text-lg :border="false"
@@ -97,7 +144,7 @@ const navbar = ref<HTMLElement>()
       </div>
     </NNavbar>
 
-    <AssetDropZone folder="/" />
+    <AssetDropZone v-model="dropzone" folder="/" />
 
     <template v-if="view === 'grid'">
       <template v-if="byFolders.length > 1">

packages/devtools/src/constant.ts

@@ -61,3 +61,34 @@ export const defaultTabOptions: NuxtDevToolsOptions = {
     view: 'grid',
   },
 }
+
+export const defaultAllowedExtensions = [
+  'png',
+  'jpg',
+  'jpeg',
+  'gif',
+  'svg',
+  'webp',
+  'ico',
+  'mp4',
+  'ogg',
+  'mp3',
+  'wav',
+  'mov',
+  'mkv',
+  'mpg',
+  'txt',
+  'ttf',
+  'woff',
+  'woff2',
+  'eot',
+  'json',
+  'js',
+  'jsx',
+  'ts',
+  'tsx',
+  'md',
+  'mdx',
+  'vue',
+  'webm',
+]

packages/devtools/src/server-rpc/assets.ts

@@ -1,14 +1,18 @@
 import fsp from 'node:fs/promises'
+import { parse } from 'node:path'
 import { join, resolve } from 'pathe'
 import { imageMeta } from 'image-meta'
 import { debounce } from 'perfect-debounce'
 import fg from 'fast-glob'
 import type { AssetEntry, AssetInfo, AssetType, ImageMeta, NuxtDevtoolsServerContext, ServerFunctions } from '../types'
+import { defaultAllowedExtensions } from '../constant'
 
-export function setupAssetsRPC({ nuxt, ensureDevAuthToken, refresh }: NuxtDevtoolsServerContext) {
+export function setupAssetsRPC({ nuxt, ensureDevAuthToken, refresh, options }: NuxtDevtoolsServerContext) {
   const _imageMetaCache = new Map<string, ImageMeta | undefined>()
   let cache: AssetInfo[] | null = null
 
+  const extensions = options.assets?.uploadExtensions || defaultAllowedExtensions
+
   const publicDir = resolve(nuxt.options.srcDir, nuxt.options.dir.public)
 
   const refreshDebounced = debounce(() => {
@@ -96,25 +100,31 @@ export function setupAssetsRPC({ nuxt, ensureDevAuthToken, refresh }: NuxtDevtoo
 
       return await Promise.all(
         files.map(async ({ path, content, encoding, override }) => {
-          let dir = resolve(baseDir, path)
+          let finalPath = resolve(baseDir, path)
+
+          const { ext } = parse(finalPath)
+          if (extensions !== '*') {
+            if (!extensions.includes(ext.toLowerCase()))
+              throw new Error(`File extension ${ext} is not allowed to upload, allowed extensions are: ${extensions.join(', ')}\nYou can configure it in Nuxt config at \`devtools.assets.uploadExtensions\`.`)
+          }
+
           if (!override) {
             try {
-              await fsp.stat(dir)
-              const ext = dir.split('.').pop() as string
-              const base = dir.slice(0, dir.length - ext.length - 1)
+              await fsp.stat(finalPath)
+              const base = finalPath.slice(0, finalPath.length - ext.length - 1)
               let i = 1
               while (await fsp.access(`${base}-${i}.${ext}`).then(() => true).catch(() => false))
                 i++
-              dir = `${base}-${i}.${ext}`
+              finalPath = `${base}-${i}.${ext}`
             }
             catch (err) {
               // Ignore error if file doesn't exist
             }
           }
-          await fsp.writeFile(dir, content, {
+          await fsp.writeFile(finalPath, content, {
             encoding: encoding ?? 'utf-8',
           })
-          return dir
+          return finalPath
         }),
       )
     },