Merge pull request #1636 from hackmdio/bugfix/check-image-mime

Check upload image mime type

Author: Yukaii

lib/config/index.js

@@ -189,7 +189,9 @@ switch (config.imageUploadType) {
       'image/png',
       'image/jpg',
       'image/gif',
-      'image/svg+xml'
+      'image/svg+xml',
+      'image/bmp',
+      'image/tiff'
     ]
 }
 

lib/imageRouter/index.js

@@ -1,15 +1,30 @@
 'use strict'
 
 const fs = require('fs')
+const path = require('path')
 const Router = require('express').Router
 const formidable = require('formidable')
 
+const readChunk = require('read-chunk')
+const imageType = require('image-type')
+const mime = require('mime-types')
+
 const config = require('../config')
 const logger = require('../logger')
 const response = require('../response')
 
 const imageRouter = module.exports = Router()
 
+function checkImageValid (filepath) {
+  const buffer = readChunk.sync(filepath, 0, 12)
+  /** @type {{ ext: string, mime: string } | null} */
+  const mimetypeFromBuf = imageType(buffer)
+  const mimeTypeFromExt = mime.lookup(path.extname(filepath))
+
+  return mimetypeFromBuf && config.allowedUploadMimeTypes.includes(mimetypeFromBuf.mime) &&
+         mimeTypeFromExt && config.allowedUploadMimeTypes.includes(mimeTypeFromExt)
+}
+
 // upload image
 imageRouter.post('/uploadimage', function (req, res) {
   var form = new formidable.IncomingForm()
@@ -24,6 +39,10 @@ imageRouter.post('/uploadimage', function (req, res) {
         logger.info('SERVER received uploadimage: ' + JSON.stringify(files.image))
       }
 
+      if (!checkImageValid(files.image.path)) {
+        return response.errorForbidden(req, res)
+      }
+
       const uploadProvider = require('./' + config.imageUploadType)
       uploadProvider.uploadImage(files.image.path, function (err, url) {
         // remove temporary upload file, and ignore any error

lib/utils.js

@@ -2,29 +2,14 @@
 const fs = require('fs')
 const path = require('path')
 const bodyParser = require('body-parser')
+const mime = require('mime-types')
 
 exports.isSQLite = function isSQLite (sequelize) {
   return sequelize.options.dialect === 'sqlite'
 }
 
 exports.getImageMimeType = function getImageMimeType (imagePath) {
-  const fileExtension = /[^.]+$/.exec(imagePath)
-
-  switch (fileExtension[0]) {
-    case 'bmp':
-      return 'image/bmp'
-    case 'gif':
-      return 'image/gif'
-    case 'jpg':
-    case 'jpeg':
-      return 'image/jpeg'
-    case 'png':
-      return 'image/png'
-    case 'tiff':
-      return 'image/tiff'
-    default:
-      return undefined
-  }
+  return mime.lookup(path.extname(imagePath))
 }
 
 exports.isRevealTheme = function isRevealTheme (theme) {

package-lock.json

@@ -57,6 +57,7 @@
     "helmet": "~3.20.0",
     "https-proxy-agent": "^3.0.1",
     "i18n": "~0.8.3",
+    "image-type": "^4.1.0",
     "isomorphic-fetch": "~2.2.1",
     "jsdom-nogyp": "~0.8.3",
     "lodash": "~4.17.15",
@@ -89,6 +90,7 @@
     "prom-client": "^12.0.0",
     "prometheus-api-metrics": "^2.2.5",
     "randomcolor": "~0.5.4",
+    "read-chunk": "^3.2.0",
     "readline-sync": "~1.4.7",
     "request": "~2.88.0",
     "scrypt-kdf": "^2.0.1",