Conversation
|
@copilot try again |
Co-authored-by: csharpfritz <78577+csharpfritz@users.noreply.github.com>
Co-authored-by: csharpfritz <78577+csharpfritz@users.noreply.github.com>
Co-authored-by: csharpfritz <78577+csharpfritz@users.noreply.github.com>
I've successfully implemented the FileUpload component. Here's what was completed: ✅ Full component implementation with Web Forms-compatible API The component is ready for review in commit 3357d71. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| private ElementReference _inputElement; | ||
| private IBrowserFile _currentFile; | ||
| private List<IBrowserFile> _currentFiles = new List<IBrowserFile>(); |
Check notice
Code scanning / CodeQL
Missed 'readonly' opportunity Note
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
To fix the issue, we should add the readonly modifier to the _currentFiles field so that its reference cannot be changed after initialization, while still allowing normal list operations (adding/removing items). This preserves all existing behavior that mutates the list’s contents.
Concretely, in src/BlazorWebFormsComponents/FileUpload.razor.cs, update the declaration of _currentFiles on line 24 from private List<IBrowserFile> _currentFiles = new List<IBrowserFile>(); to private readonly List<IBrowserFile> _currentFiles = new List<IBrowserFile>();. No other changes, imports, or additional methods are required, because readonly in C# does not prevent calling methods on the list; it only prevents re-assigning _currentFiles to a different list instance.
| @@ -21,7 +21,7 @@ | ||
|
|
||
| private ElementReference _inputElement; | ||
| private IBrowserFile _currentFile; | ||
| private List<IBrowserFile> _currentFiles = new List<IBrowserFile>(); | ||
| private readonly List<IBrowserFile> _currentFiles = new List<IBrowserFile>(); | ||
|
|
||
| /// <summary> | ||
| /// Gets a value indicating whether the FileUpload control contains a file. |
| { | ||
| // Sanitize filename to prevent directory traversal attacks | ||
| var safeFileName = Path.GetFileName(file.Name); | ||
| var path = Path.Combine(directory, safeFileName); |
Check notice
Code scanning / CodeQL
Call to 'System.IO.Path.Combine' may silently drop its earlier arguments Note
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 8 days ago
In general, the problem is that Path.Combine can ignore earlier path segments if a later argument is an absolute path. The recommended mitigation is to use Path.Join, which always concatenates segments without treating later absolute paths specially. This ensures that the provided directory argument is not silently discarded.
For this code, the best fix is to replace Path.Combine(directory, safeFileName) with Path.Join(directory, safeFileName) inside SaveAllFiles. This preserves functionality—safeFileName is already sanitized with Path.GetFileName, so the resulting path remains a simple concatenation of directory and the final file name, but it removes the risk of directory being ignored if safeFileName were ever absolute for any reason. System.IO.Path is already imported via using System.IO;, and Path.Join is available in modern .NET, so no additional imports or helpers are required. The only change is a single method call on line 182 in src/BlazorWebFormsComponents/FileUpload.razor.cs.
| @@ -179,7 +179,7 @@ | ||
| { | ||
| // Sanitize filename to prevent directory traversal attacks | ||
| var safeFileName = Path.GetFileName(file.Name); | ||
| var path = Path.Combine(directory, safeFileName); | ||
| var path = Path.Join(directory, safeFileName); | ||
| using var stream = file.OpenReadStream(MaxFileSize); | ||
| using var fileStream = new FileStream(path, FileMode.Create); | ||
| await stream.CopyToAsync(fileStream); |
…ritzAndFriends#335) SHIP-BLOCKING BUG FIX: The @onchange binding on <input type='file'> received ChangeEventArgs (no file data), NOT InputFileChangeEventArgs. This meant _currentFile was NEVER populated and HasFile always returned false. Changes: - Replace raw <input type='file'> with Blazor's InputFile component - OnFileChangeInternal now receives InputFileChangeEventArgs with IBrowserFile - _currentFile and _currentFiles properly populated on file selection - HasFile, FileName, FileBytes, FileContent, PostedFile all work correctly - SaveAs() uses Path.GetFileName() to prevent rooted path injection - SaveAllFiles() validates resolved path stays within target directory - _currentFiles is now readonly (security scan fix) - Added HasFiles (plural) property for multi-file detection (Web Forms API) - Removed unused IJSRuntime injection and ElementReference - Updated docs to reflect InputFile usage and HasFiles property
Implements the FileUpload component that emulates the ASP.NET Web Forms FileUpload control, providing file upload functionality with compatibility for Web Forms properties and methods.
Changes Made
FileUpload.razorandFileUpload.razor.cswith full Web Forms-compatible APIHasFile,FileName,FileBytes,FileContent,PostedFile,AllowMultiple,Accept, andMaxFileSizeSaveAs(),SaveAllFiles(),GetMultipleFiles(), and asyncGetFileBytesAsync()for file handlingPostedFileWrapperclass for HttpPostedFile compatibilityBaseStyledComponentfor consistent styling with other Web Forms componentssamples/AfterBlazorServerSide/Pages/ControlSamples/FileUpload/Default.razordocs/EditorControls/FileUpload.mdTesting
The component provides a smooth migration path from ASP.NET Web Forms to Blazor while maintaining security best practices.
Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.