From 90a51dc44a11da0830d365637c8c51d8d80b8bda Mon Sep 17 00:00:00 2001 From: Andrey Antukh Date: Fri, 26 Mar 2021 23:38:03 +0100 Subject: [PATCH] :bug: Only allow bitmap images on team and profile photo. --- backend/src/app/media.clj | 11 ++++++----- backend/src/app/rpc/mutations/profile.clj | 2 +- backend/src/app/rpc/mutations/teams.clj | 3 ++- 3 files changed, 9 insertions(+), 7 deletions(-) diff --git a/backend/src/app/media.clj b/backend/src/app/media.clj index 211257b0d..1886ac626 100644 --- a/backend/src/app/media.clj +++ b/backend/src/app/media.clj @@ -188,8 +188,9 @@ ;; --- Utility functions (defn validate-media-type - [media-type] - (when-not (cm/valid-media-types media-type) - (ex/raise :type :validation - :code :media-type-not-allowed - :hint "Seems like you are uploading an invalid media object"))) + ([mtype] (validate-media-type mtype cm/valid-media-types)) + ([mtype allowed] + (when-not (contains? allowed mtype) + (ex/raise :type :validation + :code :media-type-not-allowed + :hint "Seems like you are uploading an invalid media object")))) diff --git a/backend/src/app/rpc/mutations/profile.clj b/backend/src/app/rpc/mutations/profile.clj index a6a5cb1c2..dc0ec95fe 100644 --- a/backend/src/app/rpc/mutations/profile.clj +++ b/backend/src/app/rpc/mutations/profile.clj @@ -386,8 +386,8 @@ (sv/defmethod ::update-profile-photo [{:keys [pool storage] :as cfg} {:keys [profile-id file] :as params}] - (media/validate-media-type (:content-type file)) (db/with-atomic [conn pool] + (media/validate-media-type (:content-type file) #{"image/jpeg" "image/png" "image/webp"}) (let [profile (db/get-by-id conn :profile profile-id) _ (media/run cfg {:cmd :info :input {:path (:tempfile file) :mtype (:content-type file)}}) diff --git a/backend/src/app/rpc/mutations/teams.clj b/backend/src/app/rpc/mutations/teams.clj index 2e74be086..be2c428a6 100644 --- a/backend/src/app/rpc/mutations/teams.clj +++ b/backend/src/app/rpc/mutations/teams.clj @@ -255,9 +255,10 @@ (sv/defmethod ::update-team-photo [{:keys [pool storage] :as cfg} {:keys [profile-id file team-id] :as params}] - (media/validate-media-type (:content-type file)) (db/with-atomic [conn pool] (teams/check-edition-permissions! conn profile-id team-id) + (media/validate-media-type (:content-type file) #{"image/jpeg" "image/png" "image/webp"}) + (let [team (teams/retrieve-team conn profile-id team-id) _ (media/run cfg {:cmd :info :input {:path (:tempfile file) :mtype (:content-type file)}})