Check upload image mime type

Yukaii · Yukaii · commit 7a88f9d95ac3 · 2020-12-22T16:48:13.000+08:00
Signed-off-by: Yukai Huang &lt;yukaihuangtw@gmail.com&gt;
diff --git a/lib/imageRouter/index.js b/lib/imageRouter/index.js
@@ -4,12 +4,22 @@ const fs = require('fs')
 const Router = require('express').Router
 const formidable = require('formidable')
 
+const readChunk = require('read-chunk')
+const imageType = require('image-type')
+
 const config = require('../config')
 const logger = require('../logger')
 const response = require('../response')
 
 const imageRouter = module.exports = Router()
 
+function checkImageValid (filepath) {
+  const supported = ['png', 'jpg', 'jpeg', 'bmp', 'tif', 'tiff', 'gif']
+  const buffer = readChunk.sync(filepath, 0, 12)
+  const type = imageType(buffer)
+  return type && supported.some(e => e === type.ext)
+}
+
 // upload image
 imageRouter.post('/uploadimage', function (req, res) {
   var form = new formidable.IncomingForm()
@@ -24,6 +34,10 @@ imageRouter.post('/uploadimage', function (req, res) {
         logger.info('SERVER received uploadimage: ' + JSON.stringify(files.image))
       }
 
+      if (!checkImageValid(files.image.path)) {
+        return response.errorForbidden(req, res)
+      }
+
       const uploadProvider = require('./' + config.imageUploadType)
       uploadProvider.uploadImage(files.image.path, function (err, url) {
         // remove temporary upload file, and ignore any error
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -57,6 +57,7 @@
     "helmet": "~3.20.0",
     "https-proxy-agent": "^3.0.1",
     "i18n": "~0.8.3",
+    "image-type": "^4.1.0",
     "isomorphic-fetch": "~2.2.1",
     "jsdom-nogyp": "~0.8.3",
     "lodash": "~4.17.15",
@@ -89,6 +90,7 @@
     "prom-client": "^12.0.0",
     "prometheus-api-metrics": "^2.2.5",
     "randomcolor": "~0.5.4",
+    "read-chunk": "^3.2.0",
     "readline-sync": "~1.4.7",
     "request": "~2.88.0",
     "scrypt-kdf": "^2.0.1",
