added array with blocked file extensions

Added an option to add file extensions to the config which will be rejected (https://github.com/WeebDev/loli-safe/issues/19)

2 files changed, 15 insertions, 2 deletions

diff --git a/config.sample.js b/config.sample.js
index 49a66ec..8649613 100644
--- a/config.sample.js
+++ b/config.sample.js
@@ -4,7 +4,6 @@ module.exports = {
 		If set to true the user will need to specify the auto-generated token
 		on each API call, meaning random strangers wont be able to use the service
 		unless they have the token loli-safe provides you with.
-
 		If it's set to false, then upload will be public for anyone to use.
 	*/
 	private: true,
@@ -34,6 +33,14 @@ module.exports = {
 	// Pages to process for the frontend
 	pages: ['home', 'auth', 'dashboard', 'faq'],
 
+	// Add file extensions here which should be blocked
+	blockedExtensions: [
+		'.exe',
+		'.bat',
+		'.cmd',
+		'.msi'
+	],
+
 	// Uploads config
 	uploads: {
 
diff --git a/controllers/uploadController.js b/controllers/uploadController.js
index 39a9364..d9ca04e 100644
--- a/controllers/uploadController.js
+++ b/controllers/uploadController.js
@@ -20,7 +20,13 @@ const storage = multer.diskStorage({
 
 const upload = multer({
 	storage: storage,
-	limits: { fileSize: config.uploads.maxSize }
+	limits: { fileSize: config.uploads.maxSize },
+	fileFilter: function(req, file, cb) {
+		if (config.blockedExtensions.some((extension) => { return path.extname(file.originalname) === extension; })) {
+			return cb('This file extension is not allowed');
+		}
+		return cb(null, true);
+	}
 }).array('files[]')
 
 uploadsController.upload = function(req, res, next) {