summaryrefslogtreecommitdiff
path: root/lib/web/imageRouter/index.js
diff options
context:
space:
mode:
authorDavid Mehren2020-12-27 19:52:42 +0100
committerGitHub2020-12-27 19:52:42 +0100
commite9306991cdb5ff2752c1eeba3fedba42aec3c2d8 (patch)
tree50eea3b294f40287a8eded1938593d0a2c4f206a /lib/web/imageRouter/index.js
parent58276ebbf4504a682454a3686dcaff88bc1069d4 (diff)
parent6932cc4df7e0c2826e47b2d9ca2f0031f75b1b58 (diff)
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
Diffstat (limited to 'lib/web/imageRouter/index.js')
-rw-r--r--lib/web/imageRouter/index.js51
1 files changed, 42 insertions, 9 deletions
diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js
index aa02e9b0..afa9bbf6 100644
--- a/lib/web/imageRouter/index.js
+++ b/lib/web/imageRouter/index.js
@@ -2,6 +2,11 @@
const Router = require('express').Router
const formidable = require('formidable')
+const path = require('path')
+const FileType = require('file-type')
+const fs = require('fs')
+const os = require('os')
+const rimraf = require('rimraf')
const config = require('../../config')
const logger = require('../../logger')
@@ -9,26 +14,54 @@ const errors = require('../../errors')
const imageRouter = module.exports = Router()
+async function checkUploadType (filePath) {
+ const typeFromMagic = await FileType.fromFile(filePath)
+ if (typeFromMagic === undefined) {
+ logger.error(`Image upload error: Could not determine MIME-type`)
+ return false
+ }
+ if (path.extname(filePath) !== '.' + typeFromMagic.ext) {
+ logger.error(`Image upload error: Provided file extension does not match MIME-type`)
+ return false
+ }
+ if (!config.allowedUploadMimeTypes.includes(typeFromMagic.mime)) {
+ logger.error(`Image upload error: MIME-type "${typeFromMagic.mime}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(', ')}" are allowed`)
+ return false
+ }
+ return true
+}
+
// upload image
imageRouter.post('/uploadimage', function (req, res) {
- var form = new formidable.IncomingForm()
+ if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
+ logger.error(`Image upload error: Anonymous edits and therefore uploads are not allowed)`)
+ return errors.errorForbidden(res)
+ }
+ var form = new formidable.IncomingForm()
form.keepExtensions = true
+ const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-'))
+ form.uploadDir = tmpDir
- if (config.imageUploadType === 'filesystem') {
- form.uploadDir = config.uploadsPath
- }
-
- form.parse(req, function (err, fields, files) {
- if (err || !files.image || !files.image.path) {
- logger.error(`formidable error: ${err}`)
- errors.errorForbidden(res)
+ form.parse(req, async function (err, fields, files) {
+ if (err) {
+ logger.error(`Image upload error: formidable error: ${err}`)
+ rimraf(tmpDir)
+ return errors.errorForbidden(res)
+ } else if (!files.image || !files.image.path) {
+ logger.error(`Image upload error: Upload didn't contain file)`)
+ rimraf.sync(tmpDir)
+ return errors.errorBadRequest(res)
+ } else if (!await checkUploadType(files.image.path)) {
+ rimraf.sync(tmpDir)
+ return errors.errorBadRequest(res)
} else {
logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`)
const uploadProvider = require('./' + config.imageUploadType)
logger.debug(`imageRouter: Uploading ${files.image.path} using ${config.imageUploadType}`)
uploadProvider.uploadImage(files.image.path, function (err, url) {
+ rimraf.sync(tmpDir)
if (err !== null) {
logger.error(err)
return res.status(500).end('upload image error')