From 25c5ae404a20f72cfbca9e8f36df9a403ba31224 Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Sun, 20 Jun 2021 19:48:58 -0400
Subject: [PATCH] fix(uploads): security fix

---
 src/controllers/tickets.js | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js
index 9b6d13848..bdb38d631 100644
--- a/src/controllers/tickets.js
+++ b/src/controllers/tickets.js
@@ -637,7 +637,7 @@ ticketsController.uploadAttachment = function (req, res) {
 
     if (
       mimetype.indexOf('image/') === -1 &&
-      mimetype.indexOf('text/') === -1 &&
+      mimetype.indexOf('text/plain') === -1 &&
       mimetype.indexOf('audio/mpeg') === -1 &&
       mimetype.indexOf('audio/mp3') === -1 &&
       mimetype.indexOf('audio/wav') === -1 &&
@@ -660,6 +660,18 @@ ticketsController.uploadAttachment = function (req, res) {
     var savePath = path.join(__dirname, '../../public/uploads/tickets', object.ticketId)
     var sanitizedFilename = filename.replace(/[^a-z0-9.]/gi, '_').toLowerCase()
 
+    var ext = path.extname(sanitizedFilename)
+    var badExts = ['.html', '.htm', '.js']
+
+    if (badExts.includes(ext)) {
+      error = {
+        status: 400,
+        message: 'Invalid File Type'
+      }
+
+      return file.resume()
+    }
+
     if (!fs.existsSync(savePath)) fs.ensureDirSync(savePath)
 
     object.filePath = path.join(savePath, 'attachment_' + sanitizedFilename)