Merge pull request #239 from uxbox/438/images-security-checks

438/images security checks

backend/src/uxbox/images.clj

@@ -10,6 +10,7 @@
    [clojure.java.io :as io]
    [clojure.spec.alpha :as s]
    [datoteka.core :as fs]
+   [uxbox.common.exceptions :as ex]
    [uxbox.common.data :as d]
    [uxbox.common.spec :as us]
    [uxbox.util.storage :as ust]
@@ -108,8 +109,12 @@
        (ByteArrayInputStream. thumbnail-data)))))
 
 (defn info
-  [path]
+  [content-type path]
   (let [instance (Info. (str path))]
+    (when-not (= content-type (.getProperty instance "Mime type"))
+      (ex/raise :type :validation
+                :code :image-type-mismatch
+                :hint "Seems like you are uploading a file whose content does not match the extension."))
     {:width (.getImageWidth instance)
      :height (.getImageHeight instance)}))
 

backend/src/uxbox/services/mutations/files.clj

@@ -165,7 +165,7 @@
               :code :image-type-not-allowed
               :hint "Seems like you are uploading an invalid image."))
 
-  (let [image-opts (images/info (:tempfile content))
+  (let [image-opts (images/info (:content-type content) (:tempfile content))
         image-path (imgs/persist-image-on-fs content)
         thumb-opts imgs/thumbnail-options
         thumb-path (imgs/persist-image-thumbnail-on-fs thumb-opts image-path)]

backend/src/uxbox/services/mutations/images.clj

@@ -146,7 +146,8 @@
     (ex/raise :type :validation
               :code :image-type-not-allowed
               :hint "Seems like you are uploading an invalid image."))
-  (let [image-opts (images/info (:tempfile content))
+
+  (let [image-opts (images/info (:content-type content) (:tempfile content))
         image-path (persist-image-on-fs content)
         thumb-opts thumbnail-options
         thumb-path (persist-image-thumbnail-on-fs thumb-opts image-path)]

backend/src/uxbox/services/mutations/profile.clj

@@ -291,7 +291,8 @@
     (ex/raise :type :validation
               :code :image-type-not-allowed
               :hint "Seems like you are uploading an invalid image."))
-  (let [thumb-opts {:width 256
+  (let [image-opts (images/info (:content-type file) (:tempfile file))
+        thumb-opts {:width 256
                     :height 256
                     :quality 75
                     :format "webp"}

frontend/src/uxbox/main/data/messages.cljs

@@ -47,9 +47,10 @@
 
     ptk/WatchEvent
     (watch [_ state stream]
+      (let [stoper (rx/filter (ptk/type? ::show) stream)]
         (->> (rx/of #(dissoc % :message))
-           (rx/delay +animation-timeout+)))))
+             (rx/delay +animation-timeout+)
-
+             (rx/take-until stoper))))))
 
 (defn error
   ([content] (error content {}))

frontend/src/uxbox/main/ui/messages.cljs

@@ -25,7 +25,8 @@
     :warning i/msg-warning
     :error i/msg-error
     :success i/msg-success
-    :info i/msg-info))
+    :info i/msg-info
+    i/msg-error))
 
 (mf/defc notification-item
   [{:keys [type status on-close quick? content] :as props}]

frontend/src/uxbox/util/webapi.cljs

@@ -75,12 +75,12 @@
   [data]
   (assert (string? data) "`data` should be string")
   (let [cboard (unchecked-get js/navigator "clipboard")]
-    (.writeText cboard data)))
+    (.writeText ^js cboard data)))
 
 (defn- read-from-clipboard
   []
   (let [cboard (unchecked-get js/navigator "clipboard")]
-    (rx/from (.readText cboard))))
+    (rx/from (.readText ^js cboard))))
 
 (defn- read-image-from-clipboard
   []
@@ -91,7 +91,7 @@
                       (if img-type
                         (rx/from (.getType item img-type))
                         (rx/empty))))]
-    (->> (rx/from (.read cboard)) ;; Get a stream of item lists
+    (->> (rx/from (.read ^js cboard)) ;; Get a stream of item lists
          (rx/mapcat identity)     ;; Convert each item into an emission
          (rx/switch-map read-item))))