From 53f5015c99b3040e955632525bde4ad70250af9a Mon Sep 17 00:00:00 2001 From: Zephyrrus Date: Tue, 5 Jan 2021 00:25:53 +0200 Subject: feat: check for real mimetype using file-type For now, if file-type returns undefined, we take the value from the browser. In the future this should be removed to ensure people can't bypass the real mime checking using a special file that can't be recognized by file-type. --- src/api/routes/uploads/uploadPOST.js | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) (limited to 'src/api/routes/uploads/uploadPOST.js') diff --git a/src/api/routes/uploads/uploadPOST.js b/src/api/routes/uploads/uploadPOST.js index bba7989..8e26079 100644 --- a/src/api/routes/uploads/uploadPOST.js +++ b/src/api/routes/uploads/uploadPOST.js @@ -1,6 +1,7 @@ const path = require('path'); const jetpack = require('fs-jetpack'); const multer = require('multer'); + const Util = require('../../utils/Util'); const Route = require('../../structures/Route'); const multerStorage = require('../../utils/multerStorage'); @@ -10,6 +11,22 @@ const chunkedUploadsTimeout = 1800000; const chunksDir = path.join(__dirname, '../../../../', process.env.UPLOAD_FOLDER, 'chunks'); const uploadDir = path.join(__dirname, '../../../../', process.env.UPLOAD_FOLDER); + +const cleanUpChunks = async (uuid, onTimeout) => { + // Remove tmp file + await jetpack.removeAsync(path.join(chunksData[uuid].root, chunksData[uuid].filename)) + .catch(error => { + if (error.code !== 'ENOENT') console.error(error); + }); + + // Remove UUID dir + await jetpack.removeAsync(chunksData[uuid].root); + + // Delete cached chunks data + if (!onTimeout) chunksData[uuid].clearTimeout(); + delete chunksData[uuid]; +}; + class ChunksData { constructor(uuid, root) { this.uuid = uuid; @@ -134,7 +151,7 @@ const uploadFile = async (req, res) => { // If the uploaded file is a chunk then just say that it was a success const uuid = req.body.uuid; if (chunksData[uuid] !== undefined) { - req.files.forEach(file => { + req.files.forEach(() => { chunksData[uuid].chunks++; }); res.json({ success: true }); @@ -149,7 +166,7 @@ const uploadFile = async (req, res) => { return infoMap[0]; }; -const finishChunks = async (req, res) => { +const finishChunks = async req => { const check = file => typeof file.uuid !== 'string' || !chunksData[file.uuid] || chunksData[file.uuid].chunks < 2; @@ -228,21 +245,6 @@ const finishChunks = async (req, res) => { } }; -const cleanUpChunks = async (uuid, onTimeout) => { - // Remove tmp file - await jetpack.removeAsync(path.join(chunksData[uuid].root, chunksData[uuid].filename)) - .catch(error => { - if (error.code !== 'ENOENT') console.error(error); - }); - - // Remove UUID dir - await jetpack.removeAsync(chunksData[uuid].root); - - // Delete cached chunks data - if (!onTimeout) chunksData[uuid].clearTimeout(); - delete chunksData[uuid]; -}; - class uploadPOST extends Route { constructor() { super('/upload', 'post', { -- cgit v1.2.3 From e0801f0c195baf677247193c274426b2483eafb1 Mon Sep 17 00:00:00 2001 From: Zephyrrus Date: Wed, 6 Jan 2021 23:31:10 +0200 Subject: fix: use PassThrough from FileType to get the real mimetype of a file while it's being saved to the disk --- src/api/routes/uploads/uploadPOST.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src/api/routes/uploads/uploadPOST.js') diff --git a/src/api/routes/uploads/uploadPOST.js b/src/api/routes/uploads/uploadPOST.js index 8e26079..a0dba27 100644 --- a/src/api/routes/uploads/uploadPOST.js +++ b/src/api/routes/uploads/uploadPOST.js @@ -160,7 +160,7 @@ const uploadFile = async (req, res) => { const infoMap = req.files.map(file => ({ path: path.join(uploadDir, file.filename), - data: file + data: { ...file, mimetype: Util.getMimeFromType(file.fileType) || file.mimetype || '' } })); return infoMap[0]; @@ -189,6 +189,8 @@ const finishChunks = async req => { */ file.extname = typeof file.original === 'string' ? Util.getExtension(file.original) : ''; + file.fileType = chunksData[file.uuid].fileType; + file.mimetype = Util.getMimeFromType(chunksData[file.uuid].fileType) || file.mimetype || ''; if (Util.isExtensionBlocked(file.extname)) { throw `${file.extname ? `${file.extname.substr(1).toUpperCase()} files` : 'Files with no extension'} are not permitted.`; // eslint-disable-line no-throw-literal @@ -218,7 +220,7 @@ const finishChunks = async req => { filename: name, originalname: file.original || '', extname: file.extname, - mimetype: file.type || '', + mimetype: file.mimetype, size: file.size, hash }; -- cgit v1.2.3