Fix view route and add mimetype inline whitelist

2025-01-20 22:06:57 -05:00 · 2018-07-26 21:53:15 -04:00 · 2018-07-26 21:53:15 -04:00 · f97070452b
commit f97070452b
parent a8acf85052
2 changed files with 44 additions and 36 deletions
--- a/app/routes/view.js
+++ b/app/routes/view.js
@ -1,41 +1,43 @@
-var express = require('express');
-var router = express.Router();
-var fs = require('fs');
-var mongoose = require('mongoose');
-var Upload = mongoose.model('Upload');
+const express = require('express');
+const router = express.Router();
+const config = require('config');

-function addView(name) {
-    Upload.updateOne({name: name}, { $inc: { views: 1 } }, function(err) {
-        if (err) throw err;
-    });
-}
+const ModelPath = '../models/';
+const Upload = require(ModelPath + 'Upload.js');

-router.get('/:name', function(req, res, next) {
-    Upload.findOne({
-        name: req.params.name
-    }, function(err, upload) {
-        if (err) {
-            next(err);
-        } else {
-            if (!upload) {
-                res.sendStatus(404);
-            } else {
-                addView(upload.name);
+const wrap = require('../util/wrap.js');

-                var disposition;
-                if (upload.file.mimetype.split('/')[0] === 'image')
-                    disposition = 'inline';
-                else
-                    disposition = 'attachment; filename="' + upload.file.originalname + '"';
+
+const incrementViews = async id =>
+    Upload.updateOne({id: id}, {$inc: {views: 1}});
+
+
+router.get('/:id', wrap(async (req, res) => {
+    const upload = await Upload.findOne({id: req.params.id});
+    if (!upload)
+        return res.status(404).json({message: 'File not found.'});
+
+    // Increment the file's view counter
+    await incrementViews(req.params.id);
+
+    // Whether the file should be an attachment or displayed inline on the page
+    let inline = false;
+
+    const mimetype = upload.file.mimetype.split('/');
+    const inlineMimeTypes = config.get('View.inlineMimeTypes').map(type => type.split('/'));
+
+    for (let type in inlineMimeTypes)
+        if (mimetype[0] === type[0])
+            if (mimetype[1] === type[1] || type[1] === '*')
+                inline = true;

    res.set({
-                    "Content-Disposition": disposition,
-                    "Content-Type": upload.file.mimetype
-                });
-                fs.createReadStream(upload.file.path).pipe(res);
-            }
-        }
-    });
+        'Content-Disposition': inline ? 'inline' : 'attachment; filename="' + upload.file.originalname + '"',
+        'Content-Type': upload.file.mimetype
    });

+    fs.createReadStream(upload.file.path)
+        .pipe(res);
+}));
+
 module.exports = router;
--- a/config/default.json
+++ b/config/default.json
@ -12,6 +12,12 @@
    "charset": "abcdefghijklmnopqrstuvwxyz",
    "idLength": 6
  },
+  "View": {
+    "inlineMimeTypes": [
+      "image/*",
+      "text/plain"
+    ]
+  },
  "User": {
    "Username": {
      "maxLength": 36,