Add file content read/write utilities for QML extensions; add tests

Author: t-book

src/core/utils/fileutils.cpp

@@ -26,13 +26,16 @@
 #include <QMimeDatabase>
 #include <QPainter>
 #include <QPainterPath>
+#include <QStandardPaths>
 #include <qgis.h>
 #include <qgsexiftools.h>
 #include <qgsfileutils.h>
+#include <qgsproject.h>
 #include <qgsrendercontext.h>
 #include <qgstextformat.h>
 #include <qgstextrenderer.h>
 
+
 FileUtils::FileUtils( QObject *parent )
   : QObject( parent )
 {
@@ -318,3 +321,233 @@ void FileUtils::addImageStamp( const QString &imagePath, const QString &text )
     }
   }
 }
+
+bool FileUtils::isWithinProjectDirectory( const QString &filePath )
+{
+  // Get the project instance
+  QgsProject *project = QgsProject::instance();
+  if ( !project || project->fileName().isEmpty() )
+    return false;
+
+  QFileInfo projectFileInfo( project->fileName() );
+  if ( !projectFileInfo.exists() )
+    return false;
+
+  // Get the canonical path for the project directory
+  QString projectDirCanonical = QFileInfo( projectFileInfo.dir().absolutePath() ).canonicalFilePath();
+  if ( projectDirCanonical.isEmpty() )
+  {
+    // Fallback to absolutePath() if canonicalFilePath() is empty
+    projectDirCanonical = QFileInfo( projectFileInfo.dir().absolutePath() ).absoluteFilePath();
+    if ( projectDirCanonical.isEmpty() )
+      return false;
+  }
+
+  // Get target file info and its canonical path
+  QFileInfo targetInfo( filePath );
+  QString targetCanonical;
+
+  if ( targetInfo.exists() || targetInfo.isSymLink() )
+  {
+    targetCanonical = targetInfo.canonicalFilePath();
+    if ( targetCanonical.isEmpty() )
+    {
+      targetCanonical = targetInfo.absoluteFilePath();
+    }
+  }
+  else
+  {
+    // Walk up the directory tree until we find an existing parent
+    QDir dir = targetInfo.dir();
+    QStringList pendingSegments;
+
+    while ( !dir.exists() && dir.cdUp() )
+    {
+      pendingSegments.prepend( QFileInfo( dir.path() ).fileName() );
+    }
+
+    QString existingCanonical = QFileInfo( dir.path() ).canonicalFilePath();
+    if ( existingCanonical.isEmpty() )
+    {
+      existingCanonical = QFileInfo( dir.path() ).absoluteFilePath();
+      if ( existingCanonical.isEmpty() )
+        return false;
+    }
+
+    // Rebuild the target path from existing directories
+    QDir rebuiltDir( existingCanonical );
+    for ( const QString &segment : pendingSegments )
+    {
+      rebuiltDir.cd( segment );
+    }
+
+    targetCanonical = rebuiltDir.absoluteFilePath( targetInfo.fileName() );
+  }
+
+  // Normalize paths for Windows (case-insensitive check)
+#ifdef Q_OS_WIN
+  projectDirCanonical = projectDirCanonical.toLower();
+  targetCanonical = targetCanonical.toLower();
+#endif
+
+  // Check if the target path is equal to or within the project directory
+  return targetCanonical == projectDirCanonical || targetCanonical.startsWith( projectDirCanonical + QDir::separator() );
+}
+
+QByteArray FileUtils::readFileContent( const QString &filePath )
+{
+  QByteArray content;
+
+  if ( !isWithinProjectDirectory( filePath ) )
+  {
+    qWarning() << QStringLiteral( "Security warning: Attempted to read file outside project directory: %1" ).arg( filePath );
+    return QByteArray();
+  }
+
+  QFile file( filePath );
+
+  if ( file.exists() )
+  {
+    if ( file.open( QIODevice::ReadOnly ) )
+    {
+      content = file.readAll();
+      file.close();
+    }
+    else
+    {
+      qDebug() << QStringLiteral( "Failed to read file content: %1" ).arg( file.errorString() );
+    }
+  }
+  else
+  {
+    qDebug() << QStringLiteral( "File does not exist: %1" ).arg( filePath );
+  }
+
+  return content;
+}
+
+bool FileUtils::writeFileContent( const QString &filePath, const QByteArray &content )
+{
+  if ( !isWithinProjectDirectory( filePath ) )
+  {
+    qWarning() << QStringLiteral( "Security warning: Attempted to write file outside project directory: %1" ).arg( filePath );
+    return false;
+  }
+
+  QFile file( filePath );
+  QFileInfo fileInfo( filePath );
+  QDir directory = fileInfo.dir();
+
+  bool isLikelyWritable = false;
+
+#ifdef Q_OS_ANDROID
+  QString appStorage = QStandardPaths::writableLocation( QStandardPaths::AppDataLocation );
+  isLikelyWritable = filePath.startsWith( appStorage );
+#elif defined( Q_OS_IOS )
+  QString appStorage = QStandardPaths::writableLocation( QStandardPaths::AppDataLocation );
+  isLikelyWritable = filePath.startsWith( appStorage );
+#else
+  QFileInfo dirInfo( directory.absolutePath() );
+  isLikelyWritable = dirInfo.isWritable();
+#endif
+
+  if ( !isLikelyWritable )
+  {
+    qWarning() << QStringLiteral( "Writing to %1 may fail due to platform restrictions. Use PlatformUtilities.applicationDirectory() for a safe location." ).arg( filePath );
+  }
+
+  if ( !directory.exists() )
+  {
+    if ( !directory.mkpath( "." ) )
+    {
+      qDebug() << QStringLiteral( "Failed to create directory for file: %1. This may be due to permission restrictions." ).arg( filePath );
+      return false;
+    }
+  }
+
+  if ( file.open( QIODevice::WriteOnly ) )
+  {
+    qint64 bytesWritten = file.write( content );
+    file.close();
+
+    if ( bytesWritten != content.size() )
+    {
+      qDebug() << QStringLiteral( "Failed to write all data to file: %1" ).arg( filePath );
+      return false;
+    }
+
+    return true;
+  }
+  else
+  {
+    QString errorMsg = file.errorString();
+    if ( file.error() == QFile::PermissionsError )
+    {
+      errorMsg += QStringLiteral( " - This may be due to platform security restrictions." );
+    }
+    qDebug() << QStringLiteral( "Failed to open file for writing: %1" ).arg( errorMsg );
+    return false;
+  }
+}
+
+QVariantMap FileUtils::getFileInfo( const QString &filePath )
+{
+  QVariantMap info;
+
+  if ( !isWithinProjectDirectory( filePath ) )
+  {
+    qWarning() << QStringLiteral( "Security warning: Attempted to access file info outside project directory: %1" ).arg( filePath );
+    info["exists"] = false;
+    info["error"] = QStringLiteral( "Access denied: File is outside the current project directory" );
+    return info;
+  }
+
+  QFile file( filePath );
+  QFileInfo fileInfo( filePath );
+
+  if ( fileInfo.exists() )
+  {
+    info["exists"] = true;
+    info["fileName"] = fileInfo.fileName();
+    info["filePath"] = fileInfo.absoluteFilePath();
+    info["fileSize"] = fileInfo.size();
+    info["lastModified"] = fileInfo.lastModified();
+    info["suffix"] = fileInfo.suffix();
+
+    QMimeDatabase db;
+    info["mimeType"] = db.mimeTypeForFile( filePath ).name();
+
+    QByteArray md5Hash = fileChecksum( filePath, QCryptographicHash::Md5 );
+    if ( !md5Hash.isEmpty() )
+    {
+      info["md5"] = md5Hash.toHex();
+    }
+    else
+    {
+      info["md5Error"] = QStringLiteral( "Could not calculate MD5 hash - possibly due to permission restrictions" );
+    }
+
+    if ( file.open( QIODevice::ReadOnly ) )
+    {
+      info["content"] = file.readAll();
+      info["readable"] = true;
+      file.close();
+    }
+    else
+    {
+      info["readable"] = false;
+      info["readError"] = file.errorString();
+
+      if ( file.error() == QFile::PermissionsError )
+      {
+        info["readError"] = info["readError"].toString() + QStringLiteral( " - This may be due to platform security restrictions" );
+      }
+    }
+  }
+  else
+  {
+    info["exists"] = false;
+  }
+
+  return info;
+}

src/core/utils/fileutils.h

@@ -21,6 +21,7 @@
 
 #include <QCryptographicHash>
 #include <QObject>
+#include <QVariantMap>
 #include <qgsfeedback.h>
 
 class GnssPositionInformation;
@@ -48,9 +49,53 @@ class QFIELD_CORE_EXPORT FileUtils : public QObject
     Q_INVOKABLE static QString fileSuffix( const QString &filePath );
     //! Returns a human-friendly size from bytes
     Q_INVOKABLE static QString representFileSize( qint64 bytes );
-    //! Returns the absolute path of tghe folder containing the \a filePath.
+    //! Returns the absolute path of the folder containing the \a filePath.
     Q_INVOKABLE static QString absolutePath( const QString &filePath );
 
+    /**
+    * Checks if a file path is securely within the current project directory.
+    * Security measures:
+    * - Prevents directory traversal attacks using path normalization
+    * - Handles symbolic links that could escape project boundaries
+    * - Supports cross-platform path comparisons (Windows, macOS, Linux, Android, iOS)
+    * - Validates non-existent files safely for write operations
+    * - Prevents partial directory matching by enforcing complete path containment
+    *
+    * \param filePath The path to check
+    * \return True if the path is safely within the current project directory
+    */
+    static bool isWithinProjectDirectory( const QString &filePath );
+
+    /**
+    * Reads the entire content of a file and returns it as a byte array.
+    * \param filePath The path to the file to be read
+    * \return The file content as a QByteArray
+    */
+    Q_INVOKABLE static QByteArray readFileContent( const QString &filePath );
+
+    /**
+    * Writes content to a file.
+    * \param filePath The path to the file to be written
+    * \param content The content to write to the file
+    * \return True if the write operation was successful, false otherwise
+    *
+    * \note Platform restrictions apply:
+    * - On Android: Writing is only permitted within the app's internal storage or
+    *   properly requested scoped storage locations.
+    * - On iOS: Writing is restricted to the app's sandbox.
+    * - Use PlatformUtilities.applicationDirectory() to get a safe write location.
+    */
+    Q_INVOKABLE static bool writeFileContent( const QString &filePath, const QByteArray &content );
+
+    /**
+    * Gets detailed information about a file including content, MD5 hash and metadata.
+    * This is useful for file validation, caching, and efficient file handling in QML.
+    * \param filePath The path to the file
+    * \return A map containing file metadata and optionally its content
+    */
+    Q_INVOKABLE static QVariantMap getFileInfo( const QString &filePath );
+
+
     /**
      * Insures that a given image's width and height are restricted to a maximum size.
      * \param imagePath the image file path