added mimetype blocking (requires `npm run setup` after pull)

3 years ago · ab4ae6fa1e
parent 11c181adf9
commit ab4ae6fa1e
4 changed files with 20 additions and 3 deletions
--- a/MagicNumbers.json
+++ b/MagicNumbers.json
@ -6,6 +6,7 @@
 	"CODE_UNAUTHORIZED": 401,
 	"CODE_NOT_FOUND": 404,
 	"CODE_PAYLOAD_TOO_LARGE": 413,
+	"CODE_UNSUPPORTED_MEDIA_TYPE": 415,
 	"CODE_INTERNAL_SERVER_ERROR": 500,
 	"KILOBYTES": 1024
 }
--- a/README.md
+++ b/README.md
@ -23,7 +23,8 @@
 - ✔️ Upload images, videos, gifs, files
 - ✔️ Fancy embeds on Discord
 - ✔️ Seamless inline video embeds on Discord
- ✔️ Upload log via customizable Discord Webhooks
+- ✔️ Personal upload log via customizable Discord Webhooks
+- ✔️ Mimetype blocking
 - ✔️ File deletion
 - ✔️ Usage metrics
 - ✔️ Thumbnail support
--- a/setup.js
+++ b/setup.js
@ -12,6 +12,7 @@ const config = {
 	diskFilePath: 'uploads/',
 	saveWithDate: false,
 	saveAsOriginal: true,
+	mediaStrict: false,
 	s3enabled: false,
 	s3endpoint: 'sfo3.digitaloceanspaces.com',
 	s3bucket: 'bucket-name',
@ -115,6 +116,12 @@ if (require.main === module) {
 				default: config.saveAsOriginal,
 				required: false
 			},
+			mediaStrict: {
+				description: 'Only allow uploads of media files (images, videos)',
+				type: 'boolean',
+				default: config.mediaStrict,
+				required: false
+			},
 			s3enabled: {
 				description: 'Enable uploading to S3 storage endpoints',
 				type: 'boolean',
--- a/storage.js
+++ b/storage.js
@ -8,9 +8,11 @@ const Thumbnail = require('./thumbnails');
 const Vibrant = require('./vibrant');
 const Hash = require('./hash');
 const { getSafeExt, getDatedDirname, sanitize, generateId } = require('./utils');
-const { s3enabled, s3endpoint, s3bucket, s3accessKey, s3secretKey, saveAsOriginal, maxUploadSize } = require('./config.json');
+const { s3enabled, s3endpoint, s3bucket, s3accessKey, s3secretKey, saveAsOriginal, maxUploadSize, mediaStrict } = require('./config.json');
+const { CODE_UNSUPPORTED_MEDIA_TYPE } = require('./MagicNumbers.json');

 const ID_GEN_LENGTH = 32;
+const ALLOWED_MIMETYPES = /(image)|(video)\//;

 const s3 = new aws.S3({
 	endpoint: new aws.Endpoint(s3endpoint),
@ -29,13 +31,19 @@ function getLocalFilename(req) {
 	return `${getDatedDirname()}/${saveAsOriginal ? req.file.originalname : req.file.sha1}`;
 }

-function processUploaded(req, _, next) {
+function processUploaded(req, res, next) {
 	// Fixes
 	req.file.mimetype = req.file.detectedMimeType;
 	req.file.originalname = sanitize(req.file.originalName);
 	req.file.randomId = generateId('random', ID_GEN_LENGTH, null, null);
 	req.file.deleteId = generateId('random', ID_GEN_LENGTH, null, null);

+	// Block the resource if the mimetype is not an image or video
+	if (mediaStrict && !ALLOWED_MIMETYPES.test(req.file.mimetype)) {
+		fs.remove(req.file.path.concat('.temp'));
+		return res.sendStatus(CODE_UNSUPPORTED_MEDIA_TYPE);
+	}
+
 	// Remove unwanted fields
 	delete req.file.fieldName;
 	delete req.file.originalName;