Validation of file types (#573)

* Add validation of file types * Add more file and mime types * Fix function description * Add pdf type --------- Co-authored-by: igoychev <[email protected]>
podkrepi-bg · Nov 13, 2023 · 3941038 · 3941038
1 parent fcab466
commit 3941038
Show file tree

Hide file tree

Showing 7 changed files with 95 additions and 8 deletions.
diff --git a/apps/api/src/bank-transactions-file/bank-transactions-file.controller.ts b/apps/api/src/bank-transactions-file/bank-transactions-file.controller.ts
@@ -32,6 +32,7 @@ import {
   ImportStatus,
 } from '../bank-transactions-file/dto/bank-transactions-import-status.dto'
 import { CreateBankPaymentDto } from '../donations/dto/create-bank-payment.dto'
+import { validateFileType } from '../common/files'
 
 @ApiTags('bank-transactions-file')
 @Controller('bank-transactions-file')
@@ -45,7 +46,14 @@ export class BankTransactionsFileController {
   ) {}
 
   @Post(':bank_transactions_file_id')
-  @UseInterceptors(FilesInterceptor('file', 5, { limits: { fileSize: 10485760 } }))
+  @UseInterceptors(
+    FilesInterceptor('file', 5, {
+      limits: { fileSize: 1024 * 1024 * 10 }, //limit uploaded files to 5 at once and 10MB each
+      fileFilter: (_req: Request, file, cb) => {
+        validateFileType(file, cb)
+      },
+    }),
+  )
   async create(
     @Param('bank_transactions_file_id') bankTransactionsFileId: string,
     @Body() body: FilesTypesDto,

diff --git a/apps/api/src/campaign-file/campaign-file.controller.ts b/apps/api/src/campaign-file/campaign-file.controller.ts
@@ -24,6 +24,7 @@ import { CampaignFileService } from './campaign-file.service'
 import { CampaignService } from '../campaign/campaign.service'
 import { KeycloakTokenParsed, isAdmin } from '../auth/keycloak'
 import { ApiTags } from '@nestjs/swagger'
+import { validateFileType } from '../common/files'
 
 @ApiTags('campaign-file')
 @Controller('campaign-file')
@@ -35,7 +36,14 @@ export class CampaignFileController {
   ) {}
 
   @Post(':campaign_id')
-  @UseInterceptors(FilesInterceptor('file', 10, { limits: { fileSize: 20485760 } })) //limit uploaded files to 5 at once and 10MB each
+  @UseInterceptors(
+    FilesInterceptor('file', 10, {
+      limits: { fileSize: 1024 * 1024 * 10 }, //limit uploaded files to 10 at once and 10MB each
+      fileFilter: (_req: Request, file, cb) => {
+        validateFileType(file, cb)
+      },
+    }),
+  )
   async create(
     @Param('campaign_id') campaignId: string,
     @Body() body: FilesRoleDto,

diff --git a/apps/api/src/campaign-file/campaign-file.service.ts b/apps/api/src/campaign-file/campaign-file.service.ts
@@ -64,7 +64,7 @@ export class CampaignFileService {
       filename: encodeURIComponent(file.filename),
       mimetype: file.mimetype,
       stream: await this.s3.streamFile(this.bucketName, id),
-      role: file.role
+      role: file.role,
     }
   }
 

diff --git a/apps/api/src/campaign-news-file/campaign-news-file.controller.ts b/apps/api/src/campaign-news-file/campaign-news-file.controller.ts
@@ -24,6 +24,7 @@ import { FilesRoleDto } from './dto/files-role.dto'
 import { CampaignNewsFileService } from './campaign-news-file.service'
 import { KeycloakTokenParsed, isAdmin } from '../auth/keycloak'
 import { ApiTags } from '@nestjs/swagger'
+import { validateFileType } from '../common/files'
 
 @ApiTags('campaign-news-file')
 @Controller('campaign-news-file')
@@ -34,7 +35,14 @@ export class CampaignNewsFileController {
   ) {}
 
   @Post(':article_id')
-  @UseInterceptors(FilesInterceptor('file', 10, { limits: { fileSize: 20485760 } })) //limit uploaded files to 5 at once and 10MB each
+  @UseInterceptors(
+    FilesInterceptor('file', 10, {
+      limits: { fileSize: 1024 * 1024 * 10 }, //limit uploaded files to 10 at once and 10MB each
+      fileFilter: (_req: Request, file, cb) => {
+        validateFileType(file, cb)
+      },
+    }),
+  )
   async create(
     @Param('article_id') articleId: string,
     @Body() body: FilesRoleDto,

diff --git a/apps/api/src/common/files.ts b/apps/api/src/common/files.ts
@@ -0,0 +1,48 @@
+import path from 'path'
+
+interface File {
+  fieldname: string
+  originalname: string
+  encoding: string
+  mimetype: string
+  size: number
+  destination: string
+  filename: string
+  path: string
+  buffer: Buffer
+}
+
+/**
+ * The function is used to validate the type of a file using the file extension and MIME type
+ * @param file object that represent file
+ * @param cb callback function which indicates whether file is accepted or not
+ */
+export function validateFileType(
+  file: File,
+  cb: (error: Error | null, acceptFile: boolean) => void,
+) {
+  const mimeAllowlist = [
+    'text/plain',
+    'application/json',
+    'application/pdf',
+    'image/png',
+    'image/jpeg',
+    'application/xml',
+    'text/xml',
+    'application/msword',
+    'application/vnd.ms-excel',
+    'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+  ]
+  if (!mimeAllowlist.includes(file.mimetype)) {
+    return cb(new Error('File mime type is not allowed'), false)
+  }
+
+  const allowedExtensions = /txt|json|pdf|jpeg|jpg|png|xml|xlsx|xls|docx/
+
+  const isExtensionSupported = allowedExtensions.test(path.extname(file.originalname).toLowerCase())
+  if (!isExtensionSupported) {
+    return cb(new Error('File extension is not allowed'), false)
+  }
+
+  cb(null, true)
+}
diff --git a/apps/api/src/expenses/expenses.controller.ts b/apps/api/src/expenses/expenses.controller.ts
@@ -21,6 +21,7 @@ import { UpdateExpenseDto } from './dto/update-expense.dto'
 import { ApiTags } from '@nestjs/swagger'
 import { UseInterceptors, UploadedFiles } from '@nestjs/common'
 import { FilesInterceptor } from '@nestjs/platform-express'
+import { validateFileType } from '../common/files'
 
 @ApiTags('expenses')
 @Controller('expenses')
@@ -37,7 +38,6 @@ export class ExpensesController {
   }
 
   @Post('create-expense')
-  @UseInterceptors(FilesInterceptor('file', 5, { limits: { fileSize: 10485760 } })) //limit uploaded files to 5 at once and 10MB each
   async create(
     @AuthenticatedUser() user: KeycloakTokenParsed,
     @Body() createExpenseDto: CreateExpenseDto,
@@ -69,7 +69,14 @@ export class ExpensesController {
   }
 
   @Post(':expenseId/files')
-  @UseInterceptors(FilesInterceptor('file', 5, { limits: { fileSize: 10485760 } })) //limit uploaded files to 5 at once and 10MB each
+  @UseInterceptors(
+    FilesInterceptor('file', 5, {
+      limits: { fileSize: 1024 * 1024 * 10 }, //limit uploaded files to 5 at once and 10MB each
+      fileFilter: (_req: Request, file, cb) => {
+        validateFileType(file, cb)
+      },
+    }),
+  )
   async uploadFiles(
     @Param('expenseId') expenseId: string,
     @UploadedFiles() files: Express.Multer.File[],

diff --git a/apps/api/src/irregularity-file/irregularity-file.controller.ts b/apps/api/src/irregularity-file/irregularity-file.controller.ts
@@ -20,7 +20,8 @@ import { PersonService } from '../person/person.service'
 import { IrregularityFileService } from './irregularity-file.service'
 import { RealmViewContactRequests, ViewContactRequests } from '@podkrepi-bg/podkrepi-types'
 import { IrregularityService } from '../irregularity/irregularity.service'
-import { ApiTags } from '@nestjs/swagger';
+import { ApiTags } from '@nestjs/swagger'
+import { validateFileType } from '../common/files'
 
 @ApiTags('irregularity-file')
 @Controller('irregularity-file')
@@ -33,7 +34,14 @@ export class IrregularityFileController {
 
   @Post(':irregularity_id')
   @Public()
-  @UseInterceptors(FilesInterceptor('file', 5, { limits: { fileSize: 10485760 } })) //limit uploaded files to 5 at once and 10MB each
+  @UseInterceptors(
+    FilesInterceptor('file', 5, {
+      limits: { fileSize: 1024 * 1024 * 10 }, //limit uploaded files to 5 at once and 10MB each
+      fileFilter: (_req: Request, file, cb) => {
+        validateFileType(file, cb)
+      },
+    }),
+  )
   async create(
     @Param('irregularity_id') irregularityId: string,
     @UploadedFiles() files: Express.Multer.File[],