Check file create permissions before fetching external file

api/src/controllers/files.ts

@@ -5,14 +5,20 @@ import { MetaService, FilesService } from '../services';
 import { File, PrimaryKey } from '../types';
 import formatTitle from '@directus/format-title';
 import env from '../env';
-import axios from 'axios';
+import axios, { AxiosResponse } from 'axios';
 import Joi from 'joi';
-import { InvalidPayloadException, ForbiddenException, FailedValidationException } from '../exceptions';
+import {
+	InvalidPayloadException,
+	ForbiddenException,
+	FailedValidationException,
+	ServiceUnavailableException,
+} from '../exceptions';
 import url from 'url';
 import path from 'path';
 import useCollection from '../middleware/use-collection';
 import { respond } from '../middleware/respond';
 import { toArray } from '../utils/to-array';
+import logger from '../logger';
 
 const router = express.Router();
 
@@ -148,9 +154,27 @@ router.post(
 			schema: req.schema,
 		});
 
-		const fileResponse = await axios.get<NodeJS.ReadableStream>(req.body.url, {
-			responseType: 'stream',
-		});
+		const fileCreatePermissions = req.schema.permissions.find(
+			(permission) => permission.collection === 'directus_files' && permission.action === 'create'
+		);
+
+		if (!fileCreatePermissions) {
+			throw new ForbiddenException();
+		}
+
+		let fileResponse: AxiosResponse<NodeJS.ReadableStream>;
+
+		try {
+			fileResponse = await axios.get<NodeJS.ReadableStream>(req.body.url, {
+				responseType: 'stream',
+			});
+		} catch (err) {
+			logger.warn(`Couldn't fetch file from url "${req.body.url}"`);
+			logger.warn(err);
+			throw new ServiceUnavailableException(`Couldn't fetch file from url "${req.body.url}"`, {
+				service: 'external-file',
+			});
+		}
 
 		const parsedURL = url.parse(fileResponse.request.res.responseUrl);
 		const filename = path.basename(parsedURL.pathname as string);