From ad6b7d25de44678bb99ad55d4270243d7b4ae596 Mon Sep 17 00:00:00 2001 From: Onestay Date: Mon, 27 Mar 2017 23:07:00 +0200 Subject: [PATCH] added array with blocked file extensions Added an option to add file extensions to the config which will be rejected (https://github.com/WeebDev/loli-safe/issues/19) --- config.sample.js | 9 ++++++++- controllers/uploadController.js | 8 +++++++- 2 files changed, 15 insertions(+), 2 deletions(-) diff --git a/config.sample.js b/config.sample.js index 49a66ec..8649613 100644 --- a/config.sample.js +++ b/config.sample.js @@ -4,7 +4,6 @@ module.exports = { If set to true the user will need to specify the auto-generated token on each API call, meaning random strangers wont be able to use the service unless they have the token loli-safe provides you with. - If it's set to false, then upload will be public for anyone to use. */ private: true, @@ -34,6 +33,14 @@ module.exports = { // Pages to process for the frontend pages: ['home', 'auth', 'dashboard', 'faq'], + // Add file extensions here which should be blocked + blockedExtensions: [ + '.exe', + '.bat', + '.cmd', + '.msi' + ], + // Uploads config uploads: { diff --git a/controllers/uploadController.js b/controllers/uploadController.js index 39a9364..d9ca04e 100644 --- a/controllers/uploadController.js +++ b/controllers/uploadController.js @@ -20,7 +20,13 @@ const storage = multer.diskStorage({ const upload = multer({ storage: storage, - limits: { fileSize: config.uploads.maxSize } + limits: { fileSize: config.uploads.maxSize }, + fileFilter: function(req, file, cb) { + if (config.blockedExtensions.some((extension) => { return path.extname(file.originalname) === extension; })) { + return cb('This file extension is not allowed'); + } + return cb(null, true); + } }).array('files[]') uploadsController.upload = function(req, res, next) {