From cf4344d9e031d2e0bf70b8d8f75ab27ecf8d29ad Mon Sep 17 00:00:00 2001
From: David Mehren
Date: Sun, 27 Dec 2020 11:31:01 +0100
Subject: Improve MIME-type checks of uploaded files

This commit adds a check if the MIME-type of the uploaded file (detected using the magic bytes) matches the file extension.

Signed-off-by: David Mehren <git@herrmehren.de>
---
 package.json | 1 +
 1 file changed, 1 insertion(+)

(limited to 'package.json')

diff --git a/package.json b/package.json
index e90ec03c..c77045ab 100644
--- a/package.json
+++ b/package.json
@@ -43,6 +43,7 @@
     "express": ">=4.14",
     "express-session": "^1.14.2",
     "file-saver": "^1.3.3",
+    "file-type": "^16.1.0",
     "flowchart.js": "^1.6.4",
     "fork-awesome": "^1.1.3",
     "formidable": "^1.0.17",
-- 
cgit v1.2.3


From 6932cc4df7e0c2826e47b2d9ca2f0031f75b1b58 Mon Sep 17 00:00:00 2001
From: David Mehren
Date: Sun, 27 Dec 2020 15:52:26 +0100
Subject: Always save uploads to a tmpdir first and cleanup afterwards

This makes sure no unintended files are permanently saved.

Co-authored-by: Yannick Bungers <git@innay.de>
Signed-off-by: David Mehren <git@herrmehren.de>
---
 package.json | 1 +
 1 file changed, 1 insertion(+)

(limited to 'package.json')

diff --git a/package.json b/package.json
index c77045ab..ae234182 100644
--- a/package.json
+++ b/package.json
@@ -112,6 +112,7 @@
     "readline-sync": "^1.4.7",
     "request": "^2.88.0",
     "reveal.js": "^3.9.2",
+    "rimraf": "^3.0.2",
     "scrypt-async": "^2.0.1",
     "scrypt-kdf": "^2.0.1",
     "select2": "^3.5.2-browserify",
-- 
cgit v1.2.3