Skip to content
Permalink
Browse files

Cancel unauthorized file uploads.

  • Loading branch information...
n1try committed Sep 3, 2019
1 parent ba66973 commit fb2e9ab5959d880198682b7d909e54b31625291e
@@ -7,6 +7,8 @@ var express = require('express'),
log = require('./../../config/middlewares/log')(),
_ = require('underscore'),
jwtAuth = require('./../../config/middlewares/jwtauth'),
filetype = require('./../../config/middlewares/filetype'),
multipart = require('connect-multiparty'),
mongoose = require('mongoose'),
Image = mongoose.model('Image');

@@ -31,7 +33,7 @@ module.exports = function(app, passport) {
});
});

router.post('/', jwtAuth(passport), function(req, res) {
router.post('/', jwtAuth(passport), multipart({maxFilesSize: config.maxFilesSize}), filetype(config.allowedFileTypes), function(req, res) {
var FILE_UPLOAD_FIELD = "uploadFile";

var tmpPath = req.files[FILE_UPLOAD_FIELD].path;
@@ -5,8 +5,6 @@ var express = require('express')
, bodyParser = require('body-parser')
, compress = require('compression')
, methodOverride = require('method-override')
, multipart = require('connect-multiparty')
, filetype = require('./middlewares/filetype')
, error = require('./middlewares/error')
, passport = require('passport')
, monitoring = require('express-status-monitor');
@@ -48,8 +46,6 @@ module.exports = function(app, config) {

app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(multipart({maxFilesSize : config.maxFilesSize}));
app.use(filetype(config.allowedFileTypes));
app.use(compress());
app.use(error());

@@ -6,6 +6,8 @@ module.exports = function () {
if (fullError) loggers.default.error('RES: ' + req.ip + ' ' + req.method + ' ' + req.originalUrl + (req.user ? ' ' + req.user._id : '') + ' ' + code + ' ' + fullError.message + ' ' + fullError.stack);
else loggers.default.error('RES: ' + req.ip + ' ' + req.method + ' ' + req.originalUrl + (req.user ? ' ' + req.user._id : '') + ' ' + code + ' ' + message);

res.set('Connection', 'close');

if (req.accepts('json') && !forceHtml) this.status(code).send({error:message, status:code});
else this.status(code).render('error', {message:message, status:code});
};
@@ -1,17 +1,22 @@
var _ = require('underscore');
var _ = require('underscore'),
fs = require('fs');

module.exports = function (allowedTypes) {
function matchType (val) {
for (var i=0; i<allowedTypes.length; i++) {
if (val.match(allowedTypes[i])) return true;
}
return false;
};
function matchType(val) {
for (var i = 0; i < allowedTypes.length; i++) {
if (val.match(allowedTypes[i])) return true;
}
return false;
};

return function (req, res, next) {
if (req.files && Object.keys(req.files).length) {
_.mapObject(req.files, function (val, key) {
if (!matchType(val.type)) res.status(415).send({error : "Type not supported."});
_.each(req.files, function (val, key) {
if (!matchType(val.type)) {
var path = req.files[FILE_UPLOAD_FIELD].path;
fs.unlink(path);
res.status(415).send({ error: "Type not supported." });
}
else next();
});
}
@@ -17,7 +17,7 @@ angular.module('anchrClientApp')
return false;
}

reader.onload = function(e){
reader.onload = function(e) {
var encrypted = CryptoJS.AES.encrypt(e.target.result, password);
var blob = new Blob([encrypted], {type: file.type});
blob.name = file.name;
@@ -52,10 +52,8 @@ angular.module('anchrClientApp')
$rootScope.init();
});
}, function (response) {
if (response.status > 0) {
file.err = response.data.error;
file.finished = true;
}
file.err = response.data && response.data.error ? response.data.error : 'Unknown error encountered during upload. Maybe unauthorized?';
file.finished = true;
}, function (evt) {
file.progress = Math.min(100, parseInt(100.0 * evt.loaded / evt.total));
});

0 comments on commit fb2e9ab

Please sign in to comment.
You can’t perform that action at this time.