Sfoglia il codice sorgente

Merge pull request #22 from Onestay/onestay

added array with blocked file extensions
Kanacchi 7 anni fa
parent
commit
3e38e138ca
2 ha cambiato i file con 15 aggiunte e 2 eliminazioni
  1. 8 1
      config.sample.js
  2. 7 1
      controllers/uploadController.js

+ 8 - 1
config.sample.js

@@ -4,7 +4,6 @@ module.exports = {
 		If set to true the user will need to specify the auto-generated token
 		If set to true the user will need to specify the auto-generated token
 		on each API call, meaning random strangers wont be able to use the service
 		on each API call, meaning random strangers wont be able to use the service
 		unless they have the token loli-safe provides you with.
 		unless they have the token loli-safe provides you with.
-
 		If it's set to false, then upload will be public for anyone to use.
 		If it's set to false, then upload will be public for anyone to use.
 	*/
 	*/
 	private: true,
 	private: true,
@@ -34,6 +33,14 @@ module.exports = {
 	// Pages to process for the frontend
 	// Pages to process for the frontend
 	pages: ['home', 'auth', 'dashboard', 'faq'],
 	pages: ['home', 'auth', 'dashboard', 'faq'],
 
 
+	// Add file extensions here which should be blocked
+	blockedExtensions: [
+		'.exe',
+		'.bat',
+		'.cmd',
+		'.msi'
+	],
+
 	// Uploads config
 	// Uploads config
 	uploads: {
 	uploads: {
 
 

+ 7 - 1
controllers/uploadController.js

@@ -20,7 +20,13 @@ const storage = multer.diskStorage({
 
 
 const upload = multer({
 const upload = multer({
 	storage: storage,
 	storage: storage,
-	limits: { fileSize: config.uploads.maxSize }
+	limits: { fileSize: config.uploads.maxSize },
+	fileFilter: function(req, file, cb) {
+		if (config.blockedExtensions.some((extension) => { return path.extname(file.originalname) === extension; })) {
+			return cb('This file extension is not allowed');
+		}
+		return cb(null, true);
+	}
 }).array('files[]')
 }).array('files[]')
 
 
 uploadsController.upload = function(req, res, next) {
 uploadsController.upload = function(req, res, next) {