From 12c682b357f09cbba7d66d3dbb6d41dda3b46c7b Mon Sep 17 00:00:00 2001
From: MohamedBassem <me@mbassem.com>
Date: Sat, 20 Apr 2024 00:03:44 +0100
Subject: fix: Ensure that downloaded asset images are from the allowed content
 types

---
 packages/shared/assetdb.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'packages/shared/assetdb.ts')

diff --git a/packages/shared/assetdb.ts b/packages/shared/assetdb.ts
index 1033c594..c070ad54 100644
--- a/packages/shared/assetdb.ts
+++ b/packages/shared/assetdb.ts
@@ -6,6 +6,13 @@ import serverConfig from "./config";
 
 const ROOT_PATH = path.join(serverConfig.dataDir, "assets");
 
+export const SUPPORTED_ASSET_TYPES = new Set([
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "application/pdf",
+]);
+
 function getAssetDir(userId: string, assetId: string) {
   return path.join(ROOT_PATH, userId, assetId);
 }
@@ -30,6 +37,9 @@ export async function saveAsset({
   asset: Buffer;
   metadata: z.infer<typeof zAssetMetadataSchema>;
 }) {
+  if (!SUPPORTED_ASSET_TYPES.has(metadata.contentType)) {
+    throw new Error("Unsupported asset type");
+  }
   const assetDir = getAssetDir(userId, assetId);
   await fs.promises.mkdir(assetDir, { recursive: true });
 
-- 
cgit v1.2.3-70-g09d2