From caaec120fa1d14c3714a0245891a9ae697e135de Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Tue, 15 Jun 2021 21:15:06 -0400
Subject: [PATCH] fix(tickets): security fix 4 #413

---
 src/controllers/tickets.js | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js
index 8f303a53b..9b6d13848 100644
--- a/src/controllers/tickets.js
+++ b/src/controllers/tickets.js
@@ -531,6 +531,34 @@ ticketsController.uploadImageMDE = function (req, res) {
     }
 
     var ext = path.extname(filename)
+    var allowedExtensions = [
+      '.jpg',
+      '.jpeg',
+      '.jpe',
+      '.jif',
+      '.jfif',
+      '.jfi',
+      '.png',
+      '.gif',
+      '.webp',
+      '.tiff',
+      '.tif',
+      '.bmp',
+      '.dib',
+      '.heif',
+      '.heic',
+      '.svg',
+      '.svgz'
+    ]
+
+    if (!allowedExtensions.includes(ext.toLocaleLowerCase())) {
+      error = {
+        status: 400,
+        message: 'Invalid File Type'
+      }
+
+      return file.resume()
+    }
 
     var savePath = path.join(__dirname, '../../public/uploads/tickets', object.ticketId)
     // var sanitizedFilename = filename.replace(/[^a-z0-9.]/gi, '_').toLowerCase();