Browse Source

Fixes #3 - converts mime type whitelist into blacklist

tags/v0.6.4
Kim Grytøyr 1 year ago
parent
commit
caa702684b
Signed by: kim <kim@grytoyr.io> GPG Key ID: 759EF8C94E0B45B7
5 changed files with 37 additions and 16 deletions
  1. +8
    -4
      data/config.development.yml
  2. +7
    -0
      data/config.production.yml
  3. +1
    -1
      src/lib/config.js
  4. +1
    -1
      src/lib/helpers.js
  5. +20
    -10
      src/lib/paste.js

+ 8
- 4
data/config.development.yml View File

@@ -20,10 +20,10 @@ max_age: 0
# Use n[y|d|h|m|s] where n is a positive number.
default_age: 0

# mime_types: npaste will allow pastes with the following mime types. The options within each
# block allows you to specify the type (text or image) and the mime type and
# extension. The mime type will be used when serving the paste in raw format.
# The actual files that are saved to disk will use the provided extension.
# mime_types: The options within each block allows you to specify the type (text or image)
# and the mime type and extension. The mime type will be used when serving the
# paste in raw format. The actual files that are saved to disk will use the
# provided extension.
mime_types:
text/plain:
type: text
@@ -49,3 +49,7 @@ mime_types:
type: image
mime_type: image/jpeg
extension: jpg

# mime_types_blacklist: npaste will not allow pastes with the following mime types.
mime_types_blacklist:
- application/x-msdownload

+ 7
- 0
data/config.production.yml View File

@@ -4,6 +4,10 @@ path: /home/node/app/data/pastes/
archive_path: /home/node/app/data/archive/
max_age: 0
default_age: 0
# mime_types: The options within each block allows you to specify the type (text or image)
# and the mime type and extension. The mime type will be used when serving the
# paste in raw format. The actual files that are saved to disk will use the
# provided extension.
mime_types:
text/plain:
type: text
@@ -30,3 +34,6 @@ mime_types:
mime_type: image/jpeg
extension: jpg

# mime_types_blacklist: npaste will not allow pastes with the following mime types.
mime_types_blacklist:
- application/x-msdownload

+ 1
- 1
src/lib/config.js View File

@@ -3,7 +3,7 @@ const fs = require('fs');
const yaml = require('js-yaml');

const env = process.env.NODE_ENV || 'development';
const VERSION = "v0.6.3.2";
const VERSION = "v0.6.4";

exports.getConfig = () => {
const configFolder = process.env.CONFIG_PATH || '../data/';


+ 1
- 1
src/lib/helpers.js View File

@@ -12,7 +12,7 @@ exports.getMetadata = (id, path) => {
}

exports.validateMimeType = (paste) => {
if (typeof config.mime_types[paste.metadata.contentType] === 'undefined') return false;
if (config.mime_types_blacklist.indexOf(paste.metadata.contentType) !== -1) return false;

return true;
}


+ 20
- 10
src/lib/paste.js View File

@@ -199,26 +199,36 @@ const add = (req, res, next) => {
const magic = new Magic(mmm.MAGIC_MIME_TYPE | mmm.MAGIC_MIME_ENCODING);
magic.detectFile(req.file.path, (err, result) => {
if (err) throw err;
let type = result.split(';')[0];
let mimeType = result.split(';')[0];

if (req.body.mimetype) {
type = req.body.mimetype;
mimeType = req.body.mimetype;
}

if (config.mime_types[type]) {
contentType = config.mime_types[type].mime_type;
extension = config.mime_types[type].extension;
}

if (extension == null) {
if (helpers.validateMimeType({
metadata: {
contentType: mimeType,
},
}) === false) {
fs.unlinkSync(req.file.path);
return res.status(400).send('MIME type not allowed: ' + type);
return res.status(400).send('MIME type not allowed: ' + givenType);
}
if (config.mime_types[mimeType]) {
type = config.mime_types[mimeType].type;
contentType = config.mime_types[mimeType].mime_type;
extension = config.mime_types[mimeType].extension;
} else {
// No default set. Fallback to text/plain.
type = "text";
contentType = "text/plain";
extension = "txt";
}

const metadata = {
id: filename,
timestamp: new Date().getTime(),
type: config.mime_types[type].type,
type: type,
contentType: contentType,
extension: extension,
submitter: user.name,


Loading…
Cancel
Save