enhance(server): better content type detection

misskey-dev · Dec 25, 2021 · d537951 · mei23 · Dec 30, 2021 · d537951
1 parent fe36094
commit d537951
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 4 deletions.
diff --git a/packages/backend/src/const.ts b/packages/backend/src/const.ts
@@ -1,2 +1,33 @@
 export const USER_ONLINE_THRESHOLD = 1000 * 60 * 10; // 10min
 export const USER_ACTIVE_THRESHOLD = 1000 * 60 * 60 * 24 * 3; // 3days
+
+// ブラウザで直接表示することを許可するファイルの種類のリスト
+// ここに含まれないものは application/octet-stream としてレスポンスされる
+// SVGはXSSを生むので許可しない
+export const FILE_TYPE_WHITELIST = [
+	'image/png',
+	'image/gif',
+	'image/jpeg',
+	'image/webp',
+	'image/apng',
+	'image/bmp',
+	'image/tiff',
+	'image/x-icon',
+	'video/mpeg',
+	'video/mp4',
+	'video/mp2t',
+	'video/webm',
+	'video/ogg',
+	'video/3gpp',
+	'video/quicktime',
+	'video/x-m4v',
+	'video/x-msvideo',
+	'audio/mpeg',
+	'audio/aac',
+	'audio/wav',
+	'audio/webm',
+	'audio/ogg',
+	'audio/x-m4a',
+	'audio/x-flac',
+	'application/ogg',
+];
diff --git a/packages/backend/src/server/file/send-drive-file.ts b/packages/backend/src/server/file/send-drive-file.ts
@@ -14,6 +14,7 @@ import { detectType } from '@/misc/get-file-info';
 import { convertToJpeg, convertToPngOrJpeg } from '@/services/drive/image-processor';
 import { GenerateVideoThumbnail } from '@/services/drive/generate-video-thumbnail';
 import { StatusError } from '@/misc/fetch';
+import { FILE_TYPE_WHITELIST } from '@/const';
 
 //const _filename = fileURLToPath(import.meta.url);
 const _filename = __filename;
@@ -27,6 +28,7 @@ const commonReadableHandlerGenerator = (ctx: Koa.Context) => (e: Error): void =>
 	ctx.set('Cache-Control', 'max-age=300');
 };
 
+// eslint-disable-next-line import/no-default-export
 export default async function(ctx: Koa.Context) {
 	const key = ctx.params.key;
 
@@ -81,7 +83,7 @@ export default async function(ctx: Koa.Context) {
 
 				const image = await convertFile();
 				ctx.body = image.data;
-				ctx.set('Content-Type', image.type);
+				ctx.set('Content-Type', FILE_TYPE_WHITELIST.includes(image.type) ? image.type : 'application/octet-stream');
 				ctx.set('Cache-Control', 'max-age=31536000, immutable');
 			} catch (e) {
 				serverLogger.error(`${e}`);
@@ -112,14 +114,14 @@ export default async function(ctx: Koa.Context) {
 		}).toString();
 
 		ctx.body = InternalStorage.read(key);
-		ctx.set('Content-Type', mime);
+		ctx.set('Content-Type', FILE_TYPE_WHITELIST.includes(mime) ? mime : 'application/octet-stream');
 		ctx.set('Cache-Control', 'max-age=31536000, immutable');
 		ctx.set('Content-Disposition', contentDisposition('inline', filename));
 	} else {
 		const readable = InternalStorage.read(file.accessKey!);
 		readable.on('error', commonReadableHandlerGenerator(ctx));
 		ctx.body = readable;
-		ctx.set('Content-Type', file.type);
+		ctx.set('Content-Type', FILE_TYPE_WHITELIST.includes(file.type) ? file.type : 'application/octet-stream');
 		ctx.set('Cache-Control', 'max-age=31536000, immutable');
 		ctx.set('Content-Disposition', contentDisposition('inline', file.name));
 	}

diff --git a/packages/backend/src/server/proxy/proxy-media.ts b/packages/backend/src/server/proxy/proxy-media.ts
@@ -6,6 +6,7 @@ import { createTemp } from '@/misc/create-temp';
 import { downloadUrl } from '@/misc/download-url';
 import { detectType } from '@/misc/get-file-info';
 import { StatusError } from '@/misc/fetch';
+import { FILE_TYPE_WHITELIST } from '@/const';
 
 export async function proxyMedia(ctx: Koa.Context) {
 	const url = 'url' in ctx.query ? ctx.query.url : 'https://' + ctx.params.url;
@@ -18,7 +19,7 @@ export async function proxyMedia(ctx: Koa.Context) {
 
 		const { mime, ext } = await detectType(path);
 
-		if (!mime.startsWith('image/')) throw 403;
+		if (!FILE_TYPE_WHITELIST.includes(mime)) throw 403;
 
 		let image: IImage;
 

diff --git a/packages/backend/src/services/drive/add-file.ts b/packages/backend/src/services/drive/add-file.ts
@@ -20,6 +20,7 @@ import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error';
 import * as S3 from 'aws-sdk/clients/s3';
 import { getS3 } from './s3';
 import * as sharp from 'sharp';
+import { FILE_TYPE_WHITELIST } from '@/const';
 
 const logger = driveLogger.createSubLogger('register', 'yellow');
 
@@ -241,6 +242,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool
  */
 async function upload(key: string, stream: fs.ReadStream | Buffer, type: string, filename?: string) {
 	if (type === 'image/apng') type = 'image/png';
+	if (!FILE_TYPE_WHITELIST.includes(type)) type = 'application/octet-stream';
 
 	const meta = await fetchMeta();