Skip to content

Commit

Permalink
fix: use req.ip instead, since guests can upload as well
Browse files Browse the repository at this point in the history
  • Loading branch information
@psychobunny
psychobunny committed Apr 19, 2021
1 parent a9978fc commit ea22cd3
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 8 deletions.
11 changes: 3 additions & 8 deletions src/middleware/uploads.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ const LRU = require('lru-cache');
const meta = require('../meta');
const helpers = require('./helpers');
const user = require('../user');
const controllerHelpers = require('../controllers/helpers');

const cache = new LRU({
maxAge: meta.config.uploadRateLimitThreshold * 1000,
Expand All @@ -13,20 +12,16 @@ const cache = new LRU({
module.exports = function (middleware) {
middleware.ratelimitUploads = helpers.try(async (req, res, next) => {
const { uid } = req;
if (!uid) {
return controllerHelpers.notAllowed(req, res);
}

if (!meta.config.uploadRateLimitThreshold || await user.isAdminOrGlobalMod(req.uid)) {
if (!meta.config.uploadRateLimitThreshold || uid && await user.isAdminOrGlobalMod(uid)) {
return next();
}

const count = (cache.peek(`${uid}:uploaded_file_count`) || 0) + req.files.files.length;
const count = (cache.peek(`${req.ip}:uploaded_file_count`) || 0) + req.files.files.length;
if (count > meta.config.uploadRateLimitThreshold) {
return next(new Error(['[[error:upload-ratelimit-reached]]']));
}

cache.set(`${uid}:uploaded_file_count`, count);
cache.set(`${req.ip}:uploaded_file_count`, count);
next();
});
};
10 changes: 10 additions & 0 deletions test/uploads.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,16 @@ describe('Upload Controllers', () => {
});
});

it('should fail to upload image to post if image is broken', (done) => {
helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/brokenimage.png'), {}, jar, csrf_token, (err, res, body) => {
assert.ifError(err);
assert.strictEqual(res.statusCode, 500);
assert(body && body.status && body.status.message);
assert(body.status.message.startsWith('Input file has corrupt header: pngload: end of stream'));
done();
});
});

it('should fail to upload image to post if image dimensions are too big', (done) => {
helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/toobig.jpg'), {}, jar, csrf_token, (err, res, body) => {
assert.ifError(err);
Expand Down

0 comments on commit ea22cd3

Please sign in to comment.