Skip to content

Commit

Permalink
fix(attachments): file type security fix
Browse files Browse the repository at this point in the history
  • Loading branch information
polonel committed Jun 18, 2022
1 parent 9c2c49a commit fb2ef82
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 3 deletions.
4 changes: 3 additions & 1 deletion src/client/containers/Tickets/IssuePartial.jsx
Original file line number Diff line number Diff line change
Expand Up @@ -99,10 +99,12 @@ class IssuePartial extends React.Component {
const attachmentFile = e.target.files[0]
formData.append('ticketId', this.ticketId)
formData.append('attachment', attachmentFile)
const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content')
axios
.post(`/tickets/uploadattachment`, formData, {
headers: {
'Content-Type': 'multipart/form-data'
'Content-Type': 'multipart/form-data',
'CSRF-TOKEN': token
}
})
.then(() => {
Expand Down
26 changes: 25 additions & 1 deletion src/controllers/tickets.js
Original file line number Diff line number Diff line change
Expand Up @@ -704,9 +704,33 @@ ticketsController.uploadAttachment = function (req, res) {
let sanitizedFilename = filename.replace(/[^a-z0-9.]/gi, '_').toLowerCase()

const ext = path.extname(sanitizedFilename)
const allowedExts = [
'.png',
'.jpg',
'.jpeg',
'.tif',
'.gif',
'.doc',
'.docx',
'.xlsx',
'.xls',
'.pdf',
'.zip',
'.rar',
'.7z',
'.mp3',
'.wav',
'.txt',
'.mp4',
'.avi',
'.mpeg',
'.eps',
'.ai',
'.psd'
]
const badExts = ['.html', '.htm', '.js', '.svg']

if (badExts.includes(ext)) {
if (!allowedExts.includes(ext)) {
error = {
status: 400,
message: 'Invalid File Type'
Expand Down
7 changes: 6 additions & 1 deletion src/routes/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -203,7 +203,12 @@ function mainRoutes (router, middleware, controllers) {
router.get('/tickets/print/:uid', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.print)
router.get('/tickets/:id', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.single)
// router.post('/tickets/postcomment', middleware.redirectToLogin, controllers.tickets.postcomment);
router.post('/tickets/uploadattachment', middleware.redirectToLogin, controllers.tickets.uploadAttachment)
router.post(
'/tickets/uploadattachment',
middleware.redirectToLogin,
middleware.csrfCheck,
controllers.tickets.uploadAttachment
)
router.post('/tickets/uploadmdeimage', middleware.redirectToLogin, controllers.tickets.uploadImageMDE)

// Messages
Expand Down

0 comments on commit fb2ef82

Please sign in to comment.