From fb2ef82b0a39d0a560a261e07c3c73ba25332ecb Mon Sep 17 00:00:00 2001
From: Chris Brame <polonel@gmail.com>
Date: Sat, 18 Jun 2022 12:58:22 -0400
Subject: [PATCH] fix(attachments): file type security fix

---
 .../containers/Tickets/IssuePartial.jsx       |  4 ++-
 src/controllers/tickets.js                    | 26 ++++++++++++++++++-
 src/routes/index.js                           |  7 ++++-
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/src/client/containers/Tickets/IssuePartial.jsx b/src/client/containers/Tickets/IssuePartial.jsx
index cd2a1a027..b74d0b237 100644
--- a/src/client/containers/Tickets/IssuePartial.jsx
+++ b/src/client/containers/Tickets/IssuePartial.jsx
@@ -99,10 +99,12 @@ class IssuePartial extends React.Component {
     const attachmentFile = e.target.files[0]
     formData.append('ticketId', this.ticketId)
     formData.append('attachment', attachmentFile)
+    const token = document.querySelector('meta[name="csrf-token"]').getAttribute('content')
     axios
       .post(`/tickets/uploadattachment`, formData, {
         headers: {
-          'Content-Type': 'multipart/form-data'
+          'Content-Type': 'multipart/form-data',
+          'CSRF-TOKEN': token
         }
       })
       .then(() => {
diff --git a/src/controllers/tickets.js b/src/controllers/tickets.js
index adee697ef..7dde3a86c 100644
--- a/src/controllers/tickets.js
+++ b/src/controllers/tickets.js
@@ -704,9 +704,33 @@ ticketsController.uploadAttachment = function (req, res) {
     let sanitizedFilename = filename.replace(/[^a-z0-9.]/gi, '_').toLowerCase()
 
     const ext = path.extname(sanitizedFilename)
+    const allowedExts = [
+      '.png',
+      '.jpg',
+      '.jpeg',
+      '.tif',
+      '.gif',
+      '.doc',
+      '.docx',
+      '.xlsx',
+      '.xls',
+      '.pdf',
+      '.zip',
+      '.rar',
+      '.7z',
+      '.mp3',
+      '.wav',
+      '.txt',
+      '.mp4',
+      '.avi',
+      '.mpeg',
+      '.eps',
+      '.ai',
+      '.psd'
+    ]
     const badExts = ['.html', '.htm', '.js', '.svg']
 
-    if (badExts.includes(ext)) {
+    if (!allowedExts.includes(ext)) {
       error = {
         status: 400,
         message: 'Invalid File Type'
diff --git a/src/routes/index.js b/src/routes/index.js
index f9b2dd588..38f82752f 100644
--- a/src/routes/index.js
+++ b/src/routes/index.js
@@ -203,7 +203,12 @@ function mainRoutes (router, middleware, controllers) {
   router.get('/tickets/print/:uid', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.print)
   router.get('/tickets/:id', middleware.redirectToLogin, middleware.loadCommonData, controllers.tickets.single)
   // router.post('/tickets/postcomment', middleware.redirectToLogin, controllers.tickets.postcomment);
-  router.post('/tickets/uploadattachment', middleware.redirectToLogin, controllers.tickets.uploadAttachment)
+  router.post(
+    '/tickets/uploadattachment',
+    middleware.redirectToLogin,
+    middleware.csrfCheck,
+    controllers.tickets.uploadAttachment
+  )
   router.post('/tickets/uploadmdeimage', middleware.redirectToLogin, controllers.tickets.uploadImageMDE)
 
   // Messages