diff options
author | David Mehren | 2020-12-27 19:52:42 +0100 |
---|---|---|
committer | GitHub | 2020-12-27 19:52:42 +0100 |
commit | e9306991cdb5ff2752c1eeba3fedba42aec3c2d8 (patch) | |
tree | 50eea3b294f40287a8eded1938593d0a2c4f206a /lib/web/imageRouter/index.js | |
parent | 58276ebbf4504a682454a3686dcaff88bc1069d4 (diff) | |
parent | 6932cc4df7e0c2826e47b2d9ca2f0031f75b1b58 (diff) |
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
Diffstat (limited to 'lib/web/imageRouter/index.js')
-rw-r--r-- | lib/web/imageRouter/index.js | 51 |
1 files changed, 42 insertions, 9 deletions
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js index aa02e9b0..afa9bbf6 100644 --- a/lib/web/imageRouter/index.js +++ b/lib/web/imageRouter/index.js @@ -2,6 +2,11 @@ const Router = require('express').Router const formidable = require('formidable') +const path = require('path') +const FileType = require('file-type') +const fs = require('fs') +const os = require('os') +const rimraf = require('rimraf') const config = require('../../config') const logger = require('../../logger') @@ -9,26 +14,54 @@ const errors = require('../../errors') const imageRouter = module.exports = Router() +async function checkUploadType (filePath) { + const typeFromMagic = await FileType.fromFile(filePath) + if (typeFromMagic === undefined) { + logger.error(`Image upload error: Could not determine MIME-type`) + return false + } + if (path.extname(filePath) !== '.' + typeFromMagic.ext) { + logger.error(`Image upload error: Provided file extension does not match MIME-type`) + return false + } + if (!config.allowedUploadMimeTypes.includes(typeFromMagic.mime)) { + logger.error(`Image upload error: MIME-type "${typeFromMagic.mime}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(', ')}" are allowed`) + return false + } + return true +} + // upload image imageRouter.post('/uploadimage', function (req, res) { - var form = new formidable.IncomingForm() + if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) { + logger.error(`Image upload error: Anonymous edits and therefore uploads are not allowed)`) + return errors.errorForbidden(res) + } + var form = new formidable.IncomingForm() form.keepExtensions = true + const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-')) + form.uploadDir = tmpDir - if (config.imageUploadType === 'filesystem') { - form.uploadDir = config.uploadsPath - } - - form.parse(req, function (err, fields, files) { - if (err || !files.image || !files.image.path) { - logger.error(`formidable error: ${err}`) - errors.errorForbidden(res) + form.parse(req, async function (err, fields, files) { + if (err) { + logger.error(`Image upload error: formidable error: ${err}`) + rimraf(tmpDir) + return errors.errorForbidden(res) + } else if (!files.image || !files.image.path) { + logger.error(`Image upload error: Upload didn't contain file)`) + rimraf.sync(tmpDir) + return errors.errorBadRequest(res) + } else if (!await checkUploadType(files.image.path)) { + rimraf.sync(tmpDir) + return errors.errorBadRequest(res) } else { logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`) const uploadProvider = require('./' + config.imageUploadType) logger.debug(`imageRouter: Uploading ${files.image.path} using ${config.imageUploadType}`) uploadProvider.uploadImage(files.image.path, function (err, url) { + rimraf.sync(tmpDir) if (err !== null) { logger.error(err) return res.status(500).end('upload image error') |