fix(tickets): security fix 4 #413

polonel · Jun 16, 2021 · caaec12 · caaec12
1 parent 648e369
commit caaec12
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js
@@ -531,6 +531,34 @@ ticketsController.uploadImageMDE = function (req, res) {
     }
 
     var ext = path.extname(filename)
+    var allowedExtensions = [
+      '.jpg',
+      '.jpeg',
+      '.jpe',
+      '.jif',
+      '.jfif',
+      '.jfi',
+      '.png',
+      '.gif',
+      '.webp',
+      '.tiff',
+      '.tif',
+      '.bmp',
+      '.dib',
+      '.heif',
+      '.heic',
+      '.svg',
+      '.svgz'
+    ]
+
+    if (!allowedExtensions.includes(ext.toLocaleLowerCase())) {
+      error = {
+        status: 400,
+        message: 'Invalid File Type'
+      }
+
+      return file.resume()
+    }
 
     var savePath = path.join(__dirname, '../../public/uploads/tickets', object.ticketId)
     // var sanitizedFilename = filename.replace(/[^a-z0-9.]/gi, '_').toLowerCase();