Fix view route and add mimetype inline whitelist

app/routes/view.js

@@ -1,41 +1,43 @@
-var express = require('express');
+const express = require('express');
-var router = express.Router();
+const router = express.Router();
-var fs = require('fs');
+const config = require('config');
-var mongoose = require('mongoose');
-var Upload = mongoose.model('Upload');
 
-function addView(name) {
+const ModelPath = '../models/';
-    Upload.updateOne({name: name}, { $inc: { views: 1 } }, function(err) {
+const Upload = require(ModelPath + 'Upload.js');
-        if (err) throw err;
+
+const wrap = require('../util/wrap.js');
+
+
+const incrementViews = async id =>
+    Upload.updateOne({id: id}, {$inc: {views: 1}});
+
+
+router.get('/:id', wrap(async (req, res) => {
+    const upload = await Upload.findOne({id: req.params.id});
+    if (!upload)
+        return res.status(404).json({message: 'File not found.'});
+
+    // Increment the file's view counter
+    await incrementViews(req.params.id);
+
+    // Whether the file should be an attachment or displayed inline on the page
+    let inline = false;
+
+    const mimetype = upload.file.mimetype.split('/');
+    const inlineMimeTypes = config.get('View.inlineMimeTypes').map(type => type.split('/'));
+
+    for (let type in inlineMimeTypes)
+        if (mimetype[0] === type[0])
+            if (mimetype[1] === type[1] || type[1] === '*')
+                inline = true;
+
+    res.set({
+        'Content-Disposition': inline ? 'inline' : 'attachment; filename="' + upload.file.originalname + '"',
+        'Content-Type': upload.file.mimetype
     });
-}
 
-router.get('/:name', function(req, res, next) {
+    fs.createReadStream(upload.file.path)
-    Upload.findOne({
+        .pipe(res);
-        name: req.params.name
+}));
-    }, function(err, upload) {
-        if (err) {
-            next(err);
-        } else {
-            if (!upload) {
-                res.sendStatus(404);
-            } else {
-                addView(upload.name);
-
-                var disposition;
-                if (upload.file.mimetype.split('/')[0] === 'image')
-                    disposition = 'inline';
-                else
-                    disposition = 'attachment; filename="' + upload.file.originalname + '"';
-
-                res.set({
-                    "Content-Disposition": disposition,
-                    "Content-Type": upload.file.mimetype
-                });
-                fs.createReadStream(upload.file.path).pipe(res);
-            }
-        }
-    });
-});
 
 module.exports = router;

config/default.json

@@ -12,6 +12,12 @@
     "charset": "abcdefghijklmnopqrstuvwxyz",
     "idLength": 6
   },
+  "View": {
+    "inlineMimeTypes": [
+      "image/*",
+      "text/plain"
+    ]
+  },
   "User": {
     "Username": {
       "maxLength": 36,