feat: validate mimetypes (#461)

* feat: validate mimetypes

* fix: validate mimeType when uploading images

server/src/routes/v1/apps/handlers/uploadImageToApp.js

@@ -9,8 +9,8 @@ const {
     getCurrentUserFromRequest,
     currentUserIsManager,
 } = require('../../../../security')
-
 const { addAppMedia, getOrganisationAppsByUserId } = require('../../../../data')
+const { validateImageMetadata } = require('../../../../utils/validateMime')
 
 module.exports = {
     method: 'POST',
@@ -60,6 +60,7 @@ module.exports = {
 
         const imageFile = request.payload.file
         const imageFileMetadata = imageFile.hapi
+        validateImageMetadata(request.server.mime, imageFileMetadata)
 
         const trx = await knex.transaction()
 

server/src/utils/validateMime.js

@@ -0,0 +1,37 @@
+const Boom = require('@hapi/boom')
+const Joi = require('@hapi/joi')
+const Path = require('path')
+
+const allowedImageMimeTypes = ['image/jpeg', 'image/png', 'image/svg+xml']
+const imageMetadataSchema = Joi.object({
+    headers: Joi.object({
+        'content-type': Joi.string().valid(...allowedImageMimeTypes),
+    }).unknown(),
+    filename: Joi.string(),
+}).unknown()
+
+const validateImageMetadata = (mimos, imageMetadata) => {
+    Joi.assert(imageMetadata, imageMetadataSchema)
+    return validateExtensionForMimeType(
+        mimos,
+        imageMetadata.filename,
+        allowedImageMimeTypes
+    )
+}
+
+const validateExtensionForMimeType = (mimos, filePath, mimeTypes) => {
+    if (!Array.isArray(mimeTypes)) {
+        mimeTypes = [mimeTypes]
+    }
+    const ext = Path.extname(filePath).substring(1)
+    const mimeExtensions = mimeTypes.flatMap(t => mimos.type(t).extensions)
+    if (mimeExtensions.includes(ext)) {
+        return true
+    }
+    throw Boom.badRequest(`File extension must be one of [${mimeExtensions}]`)
+}
+
+module.exports = {
+    validateImageMetadata,
+    validateExtensionForMimeType,
+}