Merge pull request from colbygk/update_svg_detection

Fix arbitrary upload bug
This commit is contained in:
Colby Gutierrez-Kraybill 2022-03-15 10:03:09 -04:00 committed by GitHub
commit cb32d55a3e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 44 additions and 1 deletions

View file

@ -17,6 +17,12 @@ If recognized, a JSON object will be returned of the form:
Examples:
Synchronous check on if a filename includes an acceptable extension:
```javascript
const assetTypes = require('scratch-asset-types');
const result = assetTypes.acceptableExtension('filename');
```
Synchronous check on a buffer:
```javascript
const assetTypes = require('scratch-asset-types');

View file

@ -3,6 +3,19 @@
const typesList = require('./lib/typeslist');
const readChunk = require('read-chunk');
// Check if the file extension provided is in our
// list of acceptable file formats.
// acceptable, return true
// not acceptable, return false
module.exports.acceptableExtension = fileName => {
const pieces = fileName.split('.');
if (pieces && pieces.length > 1 && pieces[pieces.length - 1] in typesList) {
return true;
}
return false;
};
module.exports.bufferCheck = input => {
const buf = (input instanceof Uint8Array) ? input : new Uint8Array(input);
@ -30,6 +43,11 @@ module.exports.bufferCheck = input => {
return true;
};
// Starts with a <, assume SVG
if (check([0x3c])) {
return typesList.svg;
}
if (check([0xFF, 0xD8, 0xFF])) {
return typesList.jpg;
}

View file

@ -8,6 +8,7 @@ module.exports = {
mj2: {ext: 'jpg', mime: 'image/jpg'},
mp3: {ext: 'mp3', mime: 'audio/mpeg'},
png: {ext: 'png', mime: 'image/png'},
svg: {ext: 'svg', mime: 'image/svg+xml'},
webp: {ext: 'webp', mime: 'image/webp'},
wav: {ext: 'wav', mime: 'audio/x-wav'},
zip: {ext: 'zip', mime: 'application/zip'}

View file

@ -3,7 +3,7 @@ const fileType = require('../../index');
const typesList = require('../../lib/typeslist');
const checkList = [
'gif', 'jpg', 'json', 'mp3', 'png', 'wav', 'webp', 'zip'];
'gif', 'jpg', 'json', 'mp3', 'png', 'svg', 'wav', 'webp', 'zip'];
tap.test('check-types', t => {
checkList.forEach(thisType => {
@ -23,3 +23,21 @@ checkList.forEach(thisType => fileType.asyncCheck(`./test/fixtures/test.${thisTy
t.equals(result.mime, typesList[thisType].mime);
t.end();
})));
tap.test('Accept recognized extensions', t => {
checkList.forEach(thisType => {
const name = `test.${thisType}`;
t.ok(fileType.acceptableExtension(name));
});
t.end();
});
tap.test('reject unrecognized extension', t => {
t.notOk(fileType.acceptableExtension('test.exe'));
t.notOk(fileType.acceptableExtension('test.app'));
t.notOk(fileType.acceptableExtension('test.framework'));
t.notOk(fileType.acceptableExtension('test.doc'));
t.notOk(fileType.acceptableExtension('test.txt'));
t.notOk(fileType.acceptableExtension('test.dll'));
t.end();
});