diff options
| author | MohamedBassem <me@mbassem.com> | 2024-04-20 00:03:44 +0100 |
|---|---|---|
| committer | Mohamed Bassem <me@mbassem.com> | 2024-04-20 00:05:31 +0100 |
| commit | 12c682b357f09cbba7d66d3dbb6d41dda3b46c7b (patch) | |
| tree | 8024c4ff324a16db9363a589b47d34a738e53e19 | |
| parent | e12fe024a9c837dc88569f80f3f75ead85bdfbde (diff) | |
| download | karakeep-12c682b357f09cbba7d66d3dbb6d41dda3b46c7b.tar.zst | |
fix: Ensure that downloaded asset images are from the allowed content types
| -rw-r--r-- | apps/web/app/api/assets/route.ts | 13 | ||||
| -rw-r--r-- | packages/shared/assetdb.ts | 10 |
2 files changed, 15 insertions, 8 deletions
diff --git a/apps/web/app/api/assets/route.ts b/apps/web/app/api/assets/route.ts index a1ebea0f..f1a17fc9 100644 --- a/apps/web/app/api/assets/route.ts +++ b/apps/web/app/api/assets/route.ts @@ -2,16 +2,13 @@ import { createContextFromRequest } from "@/server/api/client"; import { TRPCError } from "@trpc/server"; import type { ZUploadResponse } from "@hoarder/shared/types/uploads"; -import { newAssetId, saveAsset } from "@hoarder/shared/assetdb"; +import { + newAssetId, + saveAsset, + SUPPORTED_ASSET_TYPES, +} from "@hoarder/shared/assetdb"; import serverConfig from "@hoarder/shared/config"; -const SUPPORTED_ASSET_TYPES = new Set([ - "image/jpeg", - "image/png", - "image/webp", - "application/pdf", -]); - const MAX_UPLOAD_SIZE_BYTES = serverConfig.maxAssetSizeMb * 1024 * 1024; export const dynamic = "force-dynamic"; diff --git a/packages/shared/assetdb.ts b/packages/shared/assetdb.ts index 1033c594..c070ad54 100644 --- a/packages/shared/assetdb.ts +++ b/packages/shared/assetdb.ts @@ -6,6 +6,13 @@ import serverConfig from "./config"; const ROOT_PATH = path.join(serverConfig.dataDir, "assets"); +export const SUPPORTED_ASSET_TYPES = new Set([ + "image/jpeg", + "image/png", + "image/webp", + "application/pdf", +]); + function getAssetDir(userId: string, assetId: string) { return path.join(ROOT_PATH, userId, assetId); } @@ -30,6 +37,9 @@ export async function saveAsset({ asset: Buffer; metadata: z.infer<typeof zAssetMetadataSchema>; }) { + if (!SUPPORTED_ASSET_TYPES.has(metadata.contentType)) { + throw new Error("Unsupported asset type"); + } const assetDir = getAssetDir(userId, assetId); await fs.promises.mkdir(assetDir, { recursive: true }); |