From fb2ef82b0a39d0a560a261e07c3c73ba25332ecb Mon Sep 17 00:00:00 2001 From: Chris Brame <polonel@gmail.com> Date: Sat, 18 Jun 2022 12:58:22 -0400 Subject: [PATCH] fix(attachments): file type security fix --- .../containers/Tickets/IssuePartial.jsx | 4 ++- src/controllers/tickets.js | 26 ++++++++++++++++++- src/routes/index.js | 7 ++++- 3 files changed, 34 insertions(+), 3 deletions(-) diff --git a/src/client/containers/Tickets/IssuePartial.jsx b/src/client/containers/Tickets/IssuePartial.jsx index cd2a1a027..b74d0b237 100644 --- a/src/client/containers/Tickets/IssuePartial.jsx +++ b/src/client/containers/Tickets/IssuePartial.jsx @@ -99,10 +99,12 @@ class IssuePartial extends React.Component { const attachmentFile = e.target.files[0] formData.append('ticketId', this.ticketId) formData.append('attachment', attachmentFile) + const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content') axios .post(`/tickets/uploadattachment`, formData, { headers: { - 'Content-Type': 'multipart/form-data' + 'Content-Type': 'multipart/form-data', + 'CSRF-TOKEN': token } }) .then(() => { diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js index adee697ef..7dde3a86c 100644 --- a/src/controllers/tickets.js +++ b/src/controllers/tickets.js @@ -704,9 +704,33 @@ ticketsController.uploadAttachment = function (req, res) { let sanitizedFilename = filename.replace(/[^a-z0-9.]/gi, '_').toLowerCase() const ext = path.extname(sanitizedFilename) + const allowedExts = [ + '.png', + '.jpg', + '.jpeg', + '.tif', + '.gif', + '.doc', + '.docx', + '.xlsx', + '.xls', + '.pdf', + '.zip', + '.rar', + '.7z', + '.mp3', + '.wav', + '.txt', + '.mp4', + '.avi', + '.mpeg', + '.eps', + '.ai', + '.psd' + ] const badExts = ['.html', '.htm', '.js', '.svg'] - if (badExts.includes(ext)) { + if (!allowedExts.includes(ext)) { error = { status: 400, message: 'Invalid File Type' diff --git a/src/routes/index.js b/src/routes/index.js index f9b2dd588..38f82752f 100644 --- a/src/routes/index.js +++ b/src/routes/index.js @@ -203,7 +203,12 @@ function mainRoutes (router, middleware, controllers) { router.get('/tickets/print/:uid', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.print) router.get('/tickets/:id', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.single) // router.post('/tickets/postcomment', middleware.redirectToLogin, controllers.tickets.postcomment); - router.post('/tickets/uploadattachment', middleware.redirectToLogin, controllers.tickets.uploadAttachment) + router.post( + '/tickets/uploadattachment', + middleware.redirectToLogin, + middleware.csrfCheck, + controllers.tickets.uploadAttachment + ) router.post('/tickets/uploadmdeimage', middleware.redirectToLogin, controllers.tickets.uploadImageMDE) // Messages