Skip to content

Commit 7a88f9d

Browse files
YukaiiYukaii
committed
Check upload image mime type
Signed-off-by: Yukai Huang <yukaihuangtw@gmail.com>
1 parent 381b3ff commit 7a88f9d

3 files changed

Lines changed: 69 additions & 3 deletions

File tree

lib/imageRouter/index.js

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,12 +4,22 @@ const fs = require('fs')
44
const Router = require('express').Router
55
const formidable = require('formidable')
66

7+
const readChunk = require('read-chunk')
8+
const imageType = require('image-type')
9+
710
const config = require('../config')
811
const logger = require('../logger')
912
const response = require('../response')
1013

1114
const imageRouter = module.exports = Router()
1215

16+
function checkImageValid (filepath) {
17+
const supported = ['png', 'jpg', 'jpeg', 'bmp', 'tif', 'tiff', 'gif']
18+
const buffer = readChunk.sync(filepath, 0, 12)
19+
const type = imageType(buffer)
20+
return type && supported.some(e => e === type.ext)
21+
}
22+
1323
// upload image
1424
imageRouter.post('/uploadimage', function (req, res) {
1525
var form = new formidable.IncomingForm()
@@ -24,6 +34,10 @@ imageRouter.post('/uploadimage', function (req, res) {
2434
logger.info('SERVER received uploadimage: ' + JSON.stringify(files.image))
2535
}
2636

37+
if (!checkImageValid(files.image.path)) {
38+
return response.errorForbidden(req, res)
39+
}
40+
2741
const uploadProvider = require('./' + config.imageUploadType)
2842
uploadProvider.uploadImage(files.image.path, function (err, url) {
2943
// remove temporary upload file, and ignore any error

package-lock.json

Lines changed: 53 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@
5757
"helmet": "~3.20.0",
5858
"https-proxy-agent": "^3.0.1",
5959
"i18n": "~0.8.3",
60+
"image-type": "^4.1.0",
6061
"isomorphic-fetch": "~2.2.1",
6162
"jsdom-nogyp": "~0.8.3",
6263
"lodash": "~4.17.15",
@@ -89,6 +90,7 @@
8990
"prom-client": "^12.0.0",
9091
"prometheus-api-metrics": "^2.2.5",
9192
"randomcolor": "~0.5.4",
93+
"read-chunk": "^3.2.0",
9294
"readline-sync": "~1.4.7",
9395
"request": "~2.88.0",
9496
"scrypt-kdf": "^2.0.1",

0 commit comments

Comments
 (0)