verify that the uploaded modified file is temporary

Author: zadam

package-lock.json

@@ -154,12 +154,16 @@ function saveAttachmentToTmpDir(req) {
     return saveToTmpDir(fileName, content, 'attachments', attachment.attachmentId);
 }
 
+const createdTemporaryFiles = new Set();
+
 function saveToTmpDir(fileName, content, entityType, entityId) {
     const tmpObj = tmp.fileSync({ postfix: fileName });
 
     fs.writeSync(tmpObj.fd, content);
     fs.closeSync(tmpObj.fd);
 
+    createdTemporaryFiles.add(tmpObj.name);
+
     log.info(`Saved temporary file ${tmpObj.name}`);
 
     if (utils.isElectron()) {
@@ -183,6 +187,10 @@ function uploadModifiedFileToNote(req) {
     const noteId = req.params.noteId;
     const {filePath} = req.body;
 
+    if (!createdTemporaryFiles.has(filePath)) {
+        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
+    }
+
     const note = becca.getNoteOrThrow(noteId);
 
     log.info(`Updating note '${noteId}' with content from '${filePath}'`);