Skip to content
Permalink
Browse files

Add filename sanitization for photo wall

(also add more default uploads)
  • Loading branch information...
bkimminich committed Nov 1, 2019
1 parent c7bfa68 commit 38946db8da639d8e48f7f8f5331f49247c820b05
@@ -255,6 +255,14 @@ memories:
-
image: 'magn(et)ificent!-1571814229653.jpg'
caption: 'Magn(et)ificent!'
user: bjoernGoogle
-
image: 'my-rare-collectors-item!-[̲̅$̲̅(̲̅-͡°-͜ʖ-͡°̲̅)̲̅$̲̅]-1572603645543.jpg'
caption: 'My rare collectors item! [̲̅$̲̅(̲̅ ͡° ͜ʖ ͡°̲̅)̲̅$̲̅]'
user: bjoernGoogle
-
image: '😼-#zatschi-#whoneedsfourlegs-1572600969477.jpg'
caption: '😼 #zatschi #whoneedsfourlegs'
user: bjoernOwasp
ctf:
showFlagsInNotifications: false
@@ -167,7 +167,6 @@
key: bjoern
role: 'admin'
isAdmin: true
profileImage: '12.jpg'
securityQuestion:
id: 9
answer: 'West-2082' # http://www.alte-postleitzahlen.de/uetersen
@@ -176,8 +175,8 @@
password: 'kitten lesser pooch karate buffoon indoors'
customDomain: true
key: bjoernOwasp
role: 'admin'
profileImage: '13.jpg'
role: 'deluxe'
profileImage: '12.jpg'
securityQuestion:
id: 7
answer: 'Zaya' # https://www.youtube.com/watch?v=Lu0-kDdtVf4
@@ -3,6 +3,7 @@ const crypto = require('crypto')
const expressJwt = require('express-jwt')
const jwt = require('jsonwebtoken')
const sanitizeHtml = require('sanitize-html')
const sanitizeFilename = require('sanitize-filename')
const z85 = require('z85')
const utils = require('./utils')
const fs = require('fs')
@@ -29,6 +30,7 @@ exports.verify = (token) => jwt.verify(token, publicKey, { expiresIn: 3600 * 5,

exports.sanitizeHtml = html => sanitizeHtml(html)
exports.sanitizeLegacy = (input = '') => input.replace(/<(?:\w+)\W+?[\w]/gi, '')
exports.sanitizeFilename = filename => sanitizeFilename(filename)

exports.authenticatedUsers = {
tokenMap: {},
@@ -123,6 +123,7 @@
"pug": "^2.0.4",
"replace": "^1.1.1",
"request": "^2.88.0",
"sanitize-filename": "^1.6.3",
"sanitize-html": "1.4.2",
"semver": "^6.3.0",
"sequelize": "^5.21.1",
@@ -13,8 +13,6 @@ const bodyParser = require('body-parser')
const cors = require('cors')
const securityTxt = require('express-security.txt')
const robots = require('express-robots-txt')
const multer = require('multer')
const upload = multer({ storage: multer.memoryStorage(), limits: { fileSize: 200000 } })
const yaml = require('js-yaml')
const swaggerUi = require('swagger-ui-express')
const RateLimit = require('express-rate-limit')
@@ -88,31 +86,33 @@ const deluxe = require('./routes/deluxe')
const memory = require('./routes/memory')
const locales = require('./data/static/locales')
const i18n = require('i18n')
const multer = require('multer')
const uploadToMemory = multer({ storage: multer.memoryStorage(), limits: { fileSize: 200000 } })

const mimeTypeMap = {
'image/png': 'png',
'image/jpeg': 'jpg',
'image/jpg': 'jpg'
}

const storage = multer.diskStorage({
destination: (req, file, cb) => {
const isValid = mimeTypeMap[file.mimetype]
let error = new Error('Invalid mime type')
if (isValid) {
error = null
const uploadToDisk = multer({ storage: multer.diskStorage({
destination: (req, file, cb) => {
const isValid = mimeTypeMap[ file.mimetype ]
let error = new Error('Invalid mime type')
if (isValid) {
error = null
}
cb(error, './frontend/dist/frontend/assets/public/images/uploads/')
},
filename: (req, file, cb) => {
const name = insecurity.sanitizeFilename(file.originalname)
.toLowerCase()
.split(' ')
.join('-')
const ext = mimeTypeMap[ file.mimetype ]
cb(null, name + '-' + Date.now() + '.' + ext)
}
cb(error, './frontend/dist/frontend/assets/public/images/uploads/')
},
filename: (req, file, cb) => {
const name = file.originalname
.toLowerCase()
.split(' ')
.join('-')
const ext = mimeTypeMap[file.mimetype]
cb(null, name + '-' + Date.now() + '.' + ext)
}
})
}) })

errorhandler.title = `${config.get('application.name')} (Express ${utils.version('express')})`

@@ -196,10 +196,10 @@ app.use(i18n.init)

app.use(bodyParser.urlencoded({ extended: true }))
/* File Upload */
app.post('/file-upload', upload.single('file'), ensureFileIsPassed, handleZipFileUpload, checkUploadSize, checkFileType, handleXmlUpload)
app.post('/profile/image/file', upload.single('file'), profileImageFileUpload())
app.post('/profile/image/url', upload.single('file'), profileImageUrlUpload())
app.post('/api/Memorys', multer({ storage: storage }).single('image'), insecurity.appendUserId(), memory.addMemory())
app.post('/file-upload', uploadToMemory.single('file'), ensureFileIsPassed, handleZipFileUpload, checkUploadSize, checkFileType, handleXmlUpload)
app.post('/profile/image/file', uploadToMemory.single('file'), profileImageFileUpload())
app.post('/profile/image/url', uploadToMemory.single('file'), profileImageUrlUpload())
app.post('/api/Memorys', uploadToDisk.single('image'), insecurity.appendUserId(), memory.addMemory())

app.use(bodyParser.text({ type: '*/*' }))
app.use(function jsonParser (req, res, next) {

0 comments on commit 38946db

Please sign in to comment.
You can’t perform that action at this time.