From 90a51dc44a11da0830d365637c8c51d8d80b8bda Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Fri, 26 Mar 2021 23:38:03 +0100
Subject: [PATCH] :bug: Only allow bitmap images on team and profile photo.

---
 backend/src/app/media.clj                 | 11 ++++++-----
 backend/src/app/rpc/mutations/profile.clj |  2 +-
 backend/src/app/rpc/mutations/teams.clj   |  3 ++-
 3 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/backend/src/app/media.clj b/backend/src/app/media.clj
index 211257b0d..1886ac626 100644
--- a/backend/src/app/media.clj
+++ b/backend/src/app/media.clj
@@ -188,8 +188,9 @@
 ;; --- Utility functions
 
 (defn validate-media-type
-  [media-type]
-  (when-not (cm/valid-media-types media-type)
-    (ex/raise :type :validation
-              :code :media-type-not-allowed
-              :hint "Seems like you are uploading an invalid media object")))
+  ([mtype] (validate-media-type mtype cm/valid-media-types))
+  ([mtype allowed]
+   (when-not (contains? allowed mtype)
+     (ex/raise :type :validation
+               :code :media-type-not-allowed
+               :hint "Seems like you are uploading an invalid media object"))))
diff --git a/backend/src/app/rpc/mutations/profile.clj b/backend/src/app/rpc/mutations/profile.clj
index a6a5cb1c2..dc0ec95fe 100644
--- a/backend/src/app/rpc/mutations/profile.clj
+++ b/backend/src/app/rpc/mutations/profile.clj
@@ -386,8 +386,8 @@
 
 (sv/defmethod ::update-profile-photo
   [{:keys [pool storage] :as cfg} {:keys [profile-id file] :as params}]
-  (media/validate-media-type (:content-type file))
   (db/with-atomic [conn pool]
+    (media/validate-media-type (:content-type file) #{"image/jpeg" "image/png" "image/webp"})
     (let [profile (db/get-by-id conn :profile profile-id)
           _       (media/run cfg {:cmd :info :input {:path (:tempfile file)
                                                      :mtype (:content-type file)}})
diff --git a/backend/src/app/rpc/mutations/teams.clj b/backend/src/app/rpc/mutations/teams.clj
index 2e74be086..be2c428a6 100644
--- a/backend/src/app/rpc/mutations/teams.clj
+++ b/backend/src/app/rpc/mutations/teams.clj
@@ -255,9 +255,10 @@
 
 (sv/defmethod ::update-team-photo
   [{:keys [pool storage] :as cfg} {:keys [profile-id file team-id] :as params}]
-  (media/validate-media-type (:content-type file))
   (db/with-atomic [conn pool]
     (teams/check-edition-permissions! conn profile-id team-id)
+    (media/validate-media-type (:content-type file) #{"image/jpeg" "image/png" "image/webp"})
+
     (let [team    (teams/retrieve-team conn profile-id team-id)
           _       (media/run cfg {:cmd :info :input {:path (:tempfile file)
                                                      :mtype (:content-type file)}})