fix(security) : block SVG upload, enforce ROLE_CLIENT restrictions on documents

- Block SVG MIME type in TaskDocumentProcessor upload validation - Serve existing SVG files as attachment (defense-in-depth) in download controller - Block ROLE_CLIENT from uploading documents to tasks (only allowed via portal tickets) - Add Doctrine extension to filter projects by allowedProjects for ROLE_CLIENT Tickets: T-003, T-005, T-006 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-17 15:23:18 +01:00
parent e0dfcbdbf8
commit 2ac815d074
3 changed files with 79 additions and 5 deletions
--- a/src/State/TaskDocumentProcessor.php
+++ b/src/State/TaskDocumentProcessor.php
@@ -25,7 +25,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
    private const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50 MB

    private const ALLOWED_MIME_TYPES = [
-        'image/jpeg', 'image/png', 'image/gif', 'image/webp', 'image/svg+xml',
+        'image/jpeg', 'image/png', 'image/gif', 'image/webp',
        'application/pdf',
        'application/msword',
        'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
@@ -40,7 +40,7 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface

    private const MIME_TO_EXTENSION = [
        'image/jpeg'                                                                => 'jpg', 'image/png' => 'png', 'image/gif' => 'gif',
-        'image/webp'                                                                => 'webp', 'image/svg+xml' => 'svg',
+        'image/webp'                                                                => 'webp',
        'application/pdf'                                                           => 'pdf',
        'application/msword'                                                        => 'doc',
        'application/vnd.openxmlformats-officedocument.wordprocessingml.document'   => 'docx',
@@ -92,6 +92,11 @@ final readonly class TaskDocumentProcessor implements ProcessorInterface
        $clientTicket = null;

        if ('' !== $taskIri) {
+            // ROLE_CLIENT (without ROLE_ADMIN) cannot upload documents directly to tasks
+            if ($this->security->isGranted('ROLE_CLIENT') && !$this->security->isGranted('ROLE_ADMIN')) {
+                throw new AccessDeniedHttpException('Clients can only upload documents to client tickets.');
+            }
+
            $task = $this->entityManager->getRepository(Task::class)->find((int) basename($taskIri));

            if (null === $task) {