element-web/src/utils/DecryptFile.ts

/*
Copyright 2016, 2018, 2021 The Matrix.org Foundation C.I.C.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

// Pull in the encryption lib so that we can decrypt attachments.
import encrypt from 'browser-encrypt-attachment';
import { mediaFromContent } from "../customisations/Media";
import { IEncryptedFile, IMediaEventInfo } from "../customisations/models/IMediaEventContent";
import { getBlobSafeMimeType } from "./blobs";

/**
 * Decrypt a file attached to a matrix event.
 * @param {IEncryptedFile} file The encrypted file information taken from the matrix event.
 *   This passed to [link]{@link https://github.com/matrix-org/browser-encrypt-attachments}
 *   as the encryption info object, so will also have the those keys in addition to
 *   the keys below.
 * @param {IMediaEventInfo} info The info parameter taken from the matrix event.
 * @returns {Promise<Blob>} Resolves to a Blob of the file.
 */
export function decryptFile(
    file: IEncryptedFile,
    info: IMediaEventInfo | undefined,
): Promise<Blob> {
    const media = mediaFromContent({ file });
    // Download the encrypted file as an array buffer.
    return media.downloadSource().then((response) => {
        return response.arrayBuffer();
    }).then((responseData) => {
        // Decrypt the array buffer using the information taken from
        // the event content.
        return encrypt.decryptAttachment(responseData, file);
    }).then((dataArray) => {
        // Turn the array into a Blob and give it the correct MIME-type.

        // IMPORTANT: we must not allow scriptable mime-types into Blobs otherwise
        // they introduce XSS attacks if the Blob URI is viewed directly in the
        // browser (e.g. by copying the URI into a new tab or window.)
        // See warning at top of file.
        let mimetype = info?.mimetype ? info.mimetype.split(";")[0].trim() : '';
        mimetype = getBlobSafeMimeType(mimetype);

        return new Blob([dataArray], { type: mimetype });
    });
}
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00			`/*`
Convert DecryptFile to TS and modernize a bit 2021-03-04 04:22:57 +03:00			`Copyright 2016, 2018, 2021 The Matrix.org Foundation C.I.C.`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00
			`Licensed under the Apache License, Version 2.0 (the "License");`
			`you may not use this file except in compliance with the License.`
			`You may obtain a copy of the License at`

			`http://www.apache.org/licenses/LICENSE-2.0`

			`Unless required by applicable law or agreed to in writing, software`
			`distributed under the License is distributed on an "AS IS" BASIS,`
			`WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`See the License for the specific language governing permissions and`
			`limitations under the License.`
			`*/`

			`// Pull in the encryption lib so that we can decrypt attachments.`
Review comments Conflicts: src/ContentMessages.js 2016-11-08 14:42:20 +03:00			`import encrypt from 'browser-encrypt-attachment';`
Auto-fix lint errors 2021-06-29 15:11:58 +03:00			`import { mediaFromContent } from "../customisations/Media";`
use the mimetype from the info property rather than the EncryptedFile the mimetype in EncryptedFile is undocumented and redundant. see https://github.com/matrix-org/matrix-doc/pull/2582 2021-08-11 02:25:56 +03:00			`import { IEncryptedFile, IMediaEventInfo } from "../customisations/models/IMediaEventContent";`
Extract blob-safe MIME types 2021-05-06 15:53:27 +03:00			`import { getBlobSafeMimeType } from "./blobs";`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00
Review comments Conflicts: src/ContentMessages.js 2016-11-08 14:42:20 +03:00			`/**`
			`* Decrypt a file attached to a matrix event.`
use the mimetype from the info property rather than the EncryptedFile the mimetype in EncryptedFile is undocumented and redundant. see https://github.com/matrix-org/matrix-doc/pull/2582 2021-08-11 02:25:56 +03:00			`* @param {IEncryptedFile} file The encrypted file information taken from the matrix event.`
Review comments Conflicts: src/ContentMessages.js 2016-11-08 14:42:20 +03:00			`* This passed to [link]{@link https://github.com/matrix-org/browser-encrypt-attachments}`
			`* as the encryption info object, so will also have the those keys in addition to`
			`* the keys below.`
use the mimetype from the info property rather than the EncryptedFile the mimetype in EncryptedFile is undocumented and redundant. see https://github.com/matrix-org/matrix-doc/pull/2582 2021-08-11 02:25:56 +03:00			`* @param {IMediaEventInfo} info The info parameter taken from the matrix event.`
Convert DecryptFile to TS and modernize a bit 2021-03-04 04:22:57 +03:00			`* @returns {Promise<Blob>} Resolves to a Blob of the file.`
Review comments Conflicts: src/ContentMessages.js 2016-11-08 14:42:20 +03:00			`*/`
use the mimetype from the info property rather than the EncryptedFile the mimetype in EncryptedFile is undocumented and redundant. see https://github.com/matrix-org/matrix-doc/pull/2582 2021-08-11 02:25:56 +03:00			`export function decryptFile(`
			`file: IEncryptedFile,`
			`info: IMediaEventInfo \| undefined,`
			`): Promise<Blob> {`
Auto-fix lint errors 2021-06-29 15:11:58 +03:00			`const media = mediaFromContent({ file });`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00			`// Download the encrypted file as an array buffer.`
Convert DecryptFile to TS and modernize a bit 2021-03-04 04:22:57 +03:00			`return media.downloadSource().then((response) => {`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00			`return response.arrayBuffer();`
Convert DecryptFile to TS and modernize a bit 2021-03-04 04:22:57 +03:00			`}).then((responseData) => {`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00			`// Decrypt the array buffer using the information taken from`
			`// the event content.`
			`return encrypt.decryptAttachment(responseData, file);`
Convert DecryptFile to TS and modernize a bit 2021-03-04 04:22:57 +03:00			`}).then((dataArray) => {`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00			`// Turn the array into a Blob and give it the correct MIME-type.`
switch back to blob urls for rendering e2e attachments Based on @walle303's work at https://github.com/matrix-org/matrix-react-sdk/pull/1820 Deliberately reverts https://github.com/matrix-org/matrix-react-sdk/commit/8f778f54fd10428836c99d08346cf89f038dd0ce Mitigates XSS by whitelisting the mime-types of the attachments so that malicious ones should not be recognised and executed by the browser. 2018-04-29 05:07:31 +03:00
			`// IMPORTANT: we must not allow scriptable mime-types into Blobs otherwise`
			`// they introduce XSS attacks if the Blob URI is viewed directly in the`
			`// browser (e.g. by copying the URI into a new tab or window.)`
			`// See warning at top of file.`
use the mimetype from the info property rather than the EncryptedFile the mimetype in EncryptedFile is undocumented and redundant. see https://github.com/matrix-org/matrix-doc/pull/2582 2021-08-11 02:25:56 +03:00			`let mimetype = info?.mimetype ? info.mimetype.split(";")[0].trim() : '';`
Extract blob-safe MIME types 2021-05-06 15:53:27 +03:00			`mimetype = getBlobSafeMimeType(mimetype);`
switch back to blob urls for rendering e2e attachments Based on @walle303's work at https://github.com/matrix-org/matrix-react-sdk/pull/1820 Deliberately reverts https://github.com/matrix-org/matrix-react-sdk/commit/8f778f54fd10428836c99d08346cf89f038dd0ce Mitigates XSS by whitelisting the mime-types of the attachments so that malicious ones should not be recognised and executed by the browser. 2018-04-29 05:07:31 +03:00
Auto-fix lint errors 2021-06-29 15:11:58 +03:00			`return new Blob([dataArray], { type: mimetype });`
Move decryptFile into a utility function so that it can be shared between different components Conflicts: src/components/views/messages/MImageBody.js 2016-11-04 15:46:45 +03:00			`});`
			`}`