Block disallowed asset uploads

Author: Toastbrot236

Refresh.Interfaces.APIv3/Endpoints/ApiTypes/Errors/ApiModerationError.cs

@@ -2,9 +2,11 @@ namespace Refresh.Interfaces.APIv3.Endpoints.ApiTypes.Errors;
 
 public class ApiModerationError : ApiError
 {
-    public static readonly ApiModerationError Instance = new();
-    
-    public ApiModerationError() : base("This content was flagged as potentially unsafe, and administrators have been alerted. If you believe this is an error, please contact an administrator.", UnprocessableContent)
-    {
-    }
+    public ApiModerationError(string message) : base(message, UnprocessableContent) {}
+
+    public const string AssetAutoFlaggedErrorWhen = "This content was flagged as potentially unsafe, and administrators have been alerted. If you believe this is an error, please contact an administrator.";
+    public static readonly ApiModerationError AssetAutoFlaggedError = new(AssetAutoFlaggedErrorWhen);
+
+    public const string AssetDisallowedErrorWhen = "The asset you tried to upload is disallowed.";
+    public static readonly ApiModerationError AssetDisallowedError = new(AssetDisallowedErrorWhen);
 }

Refresh.Interfaces.APIv3/Endpoints/ResourceApiEndpoints.cs

@@ -200,6 +200,12 @@ IntegrationConfig integration
             return new ApiValidationError($"You have exceeded your filesize quota.");
         }
 
+        if (database.GetDisallowedAssetInfo(hash) != null)
+        {
+            context.Logger.LogWarning(BunkumCategory.UserContent, "User {0} has tried to upload a disallowed asset, rejecting.", user);
+            return ApiModerationError.AssetDisallowedError;
+        }
+
         GameAsset? gameAsset = importer.ReadAndVerifyAsset(hash, body, TokenPlatform.Website, database);
         if (gameAsset == null)
             return ApiValidationError.CannotReadAssetError;
@@ -214,7 +220,7 @@ IntegrationConfig integration
 
         if (aipi != null && aipi.ScanAndHandleAsset(dataContext, gameAsset))
         {
-            return ApiModerationError.Instance;
+            return ApiModerationError.AssetAutoFlaggedError;
         }
 
         database.AddAssetToDatabase(gameAsset);

Refresh.Interfaces.Game/Endpoints/ResourceEndpoints.cs

@@ -61,6 +61,12 @@ public Response UploadAsset(RequestContext context, string hash, string type, by
             context.Logger.LogWarning(BunkumCategory.UserContent, "{0} is above 2MB ({1} bytes), rejecting.", hash, body.Length);
             return RequestEntityTooLarge;
         }
+
+        if (database.GetDisallowedAssetInfo(hash) != null)
+        {
+            context.Logger.LogWarning(BunkumCategory.UserContent, "User {0} has tried to upload a disallowed asset, rejecting.", user);
+            return Unauthorized;
+        }
 
         GameAsset? gameAsset = importer.ReadAndVerifyAsset(hash, body, token.TokenPlatform, database);
         if (gameAsset == null)

RefreshTests.GameServer/Tests/Assets/AssetDisallowanceTests.cs

@@ -1,6 +1,10 @@
+using System.Security.Cryptography;
 using Refresh.Database.Models.Assets;
 using Refresh.Database.Models.Authentication;
 using Refresh.Database.Models.Users;
+using Refresh.Interfaces.APIv3.Endpoints.ApiTypes;
+using Refresh.Interfaces.APIv3.Endpoints.ApiTypes.Errors;
+using Refresh.Interfaces.APIv3.Endpoints.DataTypes.Response.Data;
 using Refresh.Interfaces.Game.Types.UserData;
 using RefreshTests.GameServer.Extensions;
 
@@ -115,4 +119,43 @@ public void ShowModeratedReturnsDisallowedAssetHashes()
         Assert.That(response.Resources.Contains("3"), Is.True);
         Assert.That(response.Resources.Contains("7"), Is.True);
     }
+
+    [Test]
+    public void CannotUploadDisallowedAssetFromGame()
+    {
+        using TestContext context = this.GetServer();
+        GameUser user = context.CreateUser();
+        HttpClient client = context.GetAuthenticatedClient(TokenType.Game, user);
+
+        ReadOnlySpan<byte> data = "TEX a"u8;
+        
+        string hash = BitConverter.ToString(SHA1.HashData(data))
+            .Replace("-", "")
+            .ToLower();
+
+        context.Database.DisallowAsset(hash, GameAssetType.Texture, "Weegee");
+
+        HttpResponseMessage message = client.PostAsync($"/lbp/upload/{hash}", new ByteArrayContent(data.ToArray())).Result;
+        Assert.That(message.StatusCode, Is.EqualTo(Unauthorized));
+    }
+
+    [Test]
+    public void CannotUploadDisallowedAssetFromApi()
+    {
+        using TestContext context = this.GetServer();
+        GameUser user = context.CreateUser();
+        HttpClient client = context.GetAuthenticatedClient(TokenType.Api, user);
+
+        ReadOnlySpan<byte> data = [0x89, 0x50, 0x4E, 0x47, 0x0D, 0x0A, 0x1A, 0x0A];
+        
+        string hash = BitConverter.ToString(SHA1.HashData(data))
+            .Replace("-", "")
+            .ToLower();
+
+        context.Database.DisallowAsset(hash, GameAssetType.Png, "Weegee");
+
+        ApiResponse<ApiGameAssetResponse>? response = client.PostData<ApiGameAssetResponse>($"/api/v3/assets/{hash}", new ByteArrayContent(data.ToArray()), false, true);
+        Assert.That(response?.Error, Is.Not.Null);
+        Assert.That(response!.Error!.Name, Is.EqualTo(nameof(ApiModerationError)));
+    }
 }