fix: Ensure that downloaded asset images are from the allowed content types

author: MohamedBassem <me@mbassem.com> 2024-04-20 00:03:44 +0100
committer: Mohamed Bassem <me@mbassem.com> 2024-04-20 00:05:31 +0100
commit: 12c682b357f09cbba7d66d3dbb6d41dda3b46c7b (patch)
tree: 8024c4ff324a16db9363a589b47d34a738e53e19 /packages/shared/assetdb.ts
parent: e12fe024a9c837dc88569f80f3f75ead85bdfbde (diff)
download: karakeep-12c682b357f09cbba7d66d3dbb6d41dda3b46c7b.tar.zst
1 files changed, 10 insertions, 0 deletions
diff --git a/packages/shared/assetdb.ts b/packages/shared/assetdb.ts
index 1033c594..c070ad54 100644
--- a/packages/shared/assetdb.ts
+++ b/packages/shared/assetdb.ts
@@ -6,6 +6,13 @@ import serverConfig from "./config";
 
 const ROOT_PATH = path.join(serverConfig.dataDir, "assets");
 
+export const SUPPORTED_ASSET_TYPES = new Set([
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "application/pdf",
+]);
+
 function getAssetDir(userId: string, assetId: string) {
   return path.join(ROOT_PATH, userId, assetId);
 }
@@ -30,6 +37,9 @@ export async function saveAsset({
   asset: Buffer;
   metadata: z.infer<typeof zAssetMetadataSchema>;
 }) {
+  if (!SUPPORTED_ASSET_TYPES.has(metadata.contentType)) {
+    throw new Error("Unsupported asset type");
+  }
   const assetDir = getAssetDir(userId, assetId);
   await fs.promises.mkdir(assetDir, { recursive: true });
author	MohamedBassem <me@mbassem.com>	2024-04-20 00:03:44 +0100
committer	Mohamed Bassem <me@mbassem.com>	2024-04-20 00:05:31 +0100
commit	12c682b357f09cbba7d66d3dbb6d41dda3b46c7b (patch)
tree	8024c4ff324a16db9363a589b47d34a738e53e19 /packages/shared/assetdb.ts
parent	e12fe024a9c837dc88569f80f3f75ead85bdfbde (diff)
download	karakeep-12c682b357f09cbba7d66d3dbb6d41dda3b46c7b.tar.zst