fix: Ensure that downloaded asset images are from the allowed content…

… types
hoarder-app · Apr 19, 2024 · 12c682b · 12c682b
1 parent e12fe02
commit 12c682b
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 8 deletions.
diff --git a/apps/web/app/api/assets/route.ts b/apps/web/app/api/assets/route.ts
@@ -2,16 +2,13 @@ import { createContextFromRequest } from "@/server/api/client";
 import { TRPCError } from "@trpc/server";
 
 import type { ZUploadResponse } from "@hoarder/shared/types/uploads";
-import { newAssetId, saveAsset } from "@hoarder/shared/assetdb";
+import {
+  newAssetId,
+  saveAsset,
+  SUPPORTED_ASSET_TYPES,
+} from "@hoarder/shared/assetdb";
 import serverConfig from "@hoarder/shared/config";
 
-const SUPPORTED_ASSET_TYPES = new Set([
-  "image/jpeg",
-  "image/png",
-  "image/webp",
-  "application/pdf",
-]);
-
 const MAX_UPLOAD_SIZE_BYTES = serverConfig.maxAssetSizeMb * 1024 * 1024;
 
 export const dynamic = "force-dynamic";

diff --git a/packages/shared/assetdb.ts b/packages/shared/assetdb.ts
@@ -6,6 +6,13 @@ import serverConfig from "./config";
 
 const ROOT_PATH = path.join(serverConfig.dataDir, "assets");
 
+export const SUPPORTED_ASSET_TYPES = new Set([
+  "image/jpeg",
+  "image/png",
+  "image/webp",
+  "application/pdf",
+]);
+
 function getAssetDir(userId: string, assetId: string) {
   return path.join(ROOT_PATH, userId, assetId);
 }
@@ -30,6 +37,9 @@ export async function saveAsset({
   asset: Buffer;
   metadata: z.infer<typeof zAssetMetadataSchema>;
 }) {
+  if (!SUPPORTED_ASSET_TYPES.has(metadata.contentType)) {
+    throw new Error("Unsupported asset type");
+  }
   const assetDir = getAssetDir(userId, assetId);
   await fs.promises.mkdir(assetDir, { recursive: true });