open-source-mirrors
/
ass
mirror of https://github.com/tycrek/ass
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added mimetype blocking (requires `npm run setup` after pull)

Browse Source
pull/29/head
tycrek 3 years ago
parent 11c181adf9
commit ab4ae6fa1e
No known key found for this signature in database
GPG Key ID: 25D74F3943625263
4 changed files with 20 additions and 3 deletions
Show Stats Download Patch File Download Diff File

1
MagicNumbers.json
Unescape View File

@ -6,6 +6,7 @@
"CODE_UNAUTHORIZED": 401, "CODE_UNAUTHORIZED": 401,
"CODE_NOT_FOUND": 404, "CODE_NOT_FOUND": 404,
"CODE_PAYLOAD_TOO_LARGE": 413, "CODE_PAYLOAD_TOO_LARGE": 413,
"CODE_UNSUPPORTED_MEDIA_TYPE": 415,
"CODE_INTERNAL_SERVER_ERROR": 500, "CODE_INTERNAL_SERVER_ERROR": 500,
"KILOBYTES": 1024 "KILOBYTES": 1024
} }

3
README.md
Unescape View File

@ -23,7 +23,8 @@
- ✔️ Upload images, videos, gifs, files - ✔️ Upload images, videos, gifs, files
- ✔️ Fancy embeds on Discord - ✔️ Fancy embeds on Discord
- ✔️ Seamless inline video embeds on Discord - ✔️ Seamless inline video embeds on Discord
- ✔️ Upload log via customizable Discord Webhooks - ✔️ Personal upload log via customizable Discord Webhooks
- ✔️ Mimetype blocking
- ✔️ File deletion - ✔️ File deletion
- ✔️ Usage metrics - ✔️ Usage metrics
- ✔️ Thumbnail support - ✔️ Thumbnail support

7
setup.js
Unescape View File

@ -12,6 +12,7 @@ const config = {
diskFilePath: 'uploads/', diskFilePath: 'uploads/',
saveWithDate: false, saveWithDate: false,
saveAsOriginal: true, saveAsOriginal: true,
mediaStrict: false,
s3enabled: false, s3enabled: false,
s3endpoint: 'sfo3.digitaloceanspaces.com', s3endpoint: 'sfo3.digitaloceanspaces.com',
s3bucket: 'bucket-name', s3bucket: 'bucket-name',
@ -115,6 +116,12 @@ if (require.main === module) {
default: config.saveAsOriginal, default: config.saveAsOriginal,
required: false required: false
}, },
mediaStrict: {
description: 'Only allow uploads of media files (images, videos)',
type: 'boolean',
default: config.mediaStrict,
required: false
},
s3enabled: { s3enabled: {
description: 'Enable uploading to S3 storage endpoints', description: 'Enable uploading to S3 storage endpoints',
type: 'boolean', type: 'boolean',

12
storage.js
Unescape View File

@ -8,9 +8,11 @@ const Thumbnail = require('./thumbnails');
const Vibrant = require('./vibrant'); const Vibrant = require('./vibrant');
const Hash = require('./hash'); const Hash = require('./hash');
const { getSafeExt, getDatedDirname, sanitize, generateId } = require('./utils'); const { getSafeExt, getDatedDirname, sanitize, generateId } = require('./utils');
const { s3enabled, s3endpoint, s3bucket, s3accessKey, s3secretKey, saveAsOriginal, maxUploadSize } = require('./config.json'); const { s3enabled, s3endpoint, s3bucket, s3accessKey, s3secretKey, saveAsOriginal, maxUploadSize, mediaStrict } = require('./config.json');
const { CODE_UNSUPPORTED_MEDIA_TYPE } = require('./MagicNumbers.json');
const ID_GEN_LENGTH = 32; const ID_GEN_LENGTH = 32;
const ALLOWED_MIMETYPES = /(image)|(video)\//;
const s3 = new aws.S3({ const s3 = new aws.S3({
endpoint: new aws.Endpoint(s3endpoint), endpoint: new aws.Endpoint(s3endpoint),
@ -29,13 +31,19 @@ function getLocalFilename(req) {
return `${getDatedDirname()}/${saveAsOriginal ? req.file.originalname : req.file.sha1}`; return `${getDatedDirname()}/${saveAsOriginal ? req.file.originalname : req.file.sha1}`;
} }
function processUploaded(req, _, next) { function processUploaded(req, res, next) {
// Fixes // Fixes
req.file.mimetype = req.file.detectedMimeType; req.file.mimetype = req.file.detectedMimeType;
req.file.originalname = sanitize(req.file.originalName); req.file.originalname = sanitize(req.file.originalName);
req.file.randomId = generateId('random', ID_GEN_LENGTH, null, null); req.file.randomId = generateId('random', ID_GEN_LENGTH, null, null);
req.file.deleteId = generateId('random', ID_GEN_LENGTH, null, null); req.file.deleteId = generateId('random', ID_GEN_LENGTH, null, null);
// Block the resource if the mimetype is not an image or video
if (mediaStrict && !ALLOWED_MIMETYPES.test(req.file.mimetype)) {
fs.remove(req.file.path.concat('.temp'));
return res.sendStatus(CODE_UNSUPPORTED_MEDIA_TYPE);
}
// Remove unwanted fields // Remove unwanted fields
delete req.file.fieldName; delete req.file.fieldName;
delete req.file.originalName; delete req.file.originalName;

Write Preview
Loading…
Cancel
Save