diff options
| author | tamaina <tamaina@hotmail.co.jp> | 2022-01-02 21:56:34 +0900 |
|---|---|---|
| committer | tamaina <tamaina@hotmail.co.jp> | 2022-01-02 21:56:34 +0900 |
| commit | 8804f896b06a1ab3c2bfbb79d0e286b59d72aea2 (patch) | |
| tree | e08521bf8f4e40745d84e7e4955cb6e58c373556 /packages/backend/src | |
| parent | modify comment (diff) | |
| parent | update deps (diff) | |
| download | misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.gz misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.tar.bz2 misskey-8804f896b06a1ab3c2bfbb79d0e286b59d72aea2.zip | |
Merge branch 'develop' into pizzax-indexeddb
Diffstat (limited to 'packages/backend/src')
| -rw-r--r-- | packages/backend/src/const.ts | 45 | ||||
| -rw-r--r-- | packages/backend/src/server/file/send-drive-file.ts | 8 | ||||
| -rw-r--r-- | packages/backend/src/server/proxy/proxy-media.ts | 2 | ||||
| -rw-r--r-- | packages/backend/src/services/drive/add-file.ts | 8 |
4 files changed, 57 insertions, 6 deletions
diff --git a/packages/backend/src/const.ts b/packages/backend/src/const.ts index 43f59f1e4f..b00bd81655 100644 --- a/packages/backend/src/const.ts +++ b/packages/backend/src/const.ts @@ -1,2 +1,47 @@ export const USER_ONLINE_THRESHOLD = 1000 * 60 * 10; // 10min export const USER_ACTIVE_THRESHOLD = 1000 * 60 * 60 * 24 * 3; // 3days + +// ブラウザで直接表示することを許可するファイルの種類のリスト +// ここに含まれないものは application/octet-stream としてレスポンスされる +// SVGはXSSを生むので許可しない +export const FILE_TYPE_BROWSERSAFE = [ + // Images + 'image/png', + 'image/gif', + 'image/jpeg', + 'image/webp', + 'image/apng', + 'image/bmp', + 'image/tiff', + 'image/x-icon', + + // OggS + 'audio/opus', + 'video/ogg', + 'audio/ogg', + 'application/ogg', + + // ISO/IEC base media file format + 'video/quicktime', + 'video/mp4', + 'audio/mp4', + 'video/x-m4v', + 'audio/x-m4a', + 'video/3gpp', + 'video/3gpp2', + + 'video/mpeg', + 'audio/mpeg', + + 'video/webm', + 'audio/webm', + + 'audio/aac', + 'audio/x-flac', + 'audio/vnd.wave', +]; +/* +https://github.com/sindresorhus/file-type/blob/main/supported.js +https://github.com/sindresorhus/file-type/blob/main/core.js +https://developer.mozilla.org/en-US/docs/Web/Media/Formats/Containers +*/ diff --git a/packages/backend/src/server/file/send-drive-file.ts b/packages/backend/src/server/file/send-drive-file.ts index 8bb5655b4f..7bfc36e25a 100644 --- a/packages/backend/src/server/file/send-drive-file.ts +++ b/packages/backend/src/server/file/send-drive-file.ts @@ -14,6 +14,7 @@ import { detectType } from '@/misc/get-file-info'; import { convertToJpeg, convertToPngOrJpeg } from '@/services/drive/image-processor'; import { GenerateVideoThumbnail } from '@/services/drive/generate-video-thumbnail'; import { StatusError } from '@/misc/fetch'; +import { FILE_TYPE_BROWSERSAFE } from '@/const'; //const _filename = fileURLToPath(import.meta.url); const _filename = __filename; @@ -27,6 +28,7 @@ const commonReadableHandlerGenerator = (ctx: Koa.Context) => (e: Error): void => ctx.set('Cache-Control', 'max-age=300'); }; +// eslint-disable-next-line import/no-default-export export default async function(ctx: Koa.Context) { const key = ctx.params.key; @@ -81,7 +83,7 @@ export default async function(ctx: Koa.Context) { const image = await convertFile(); ctx.body = image.data; - ctx.set('Content-Type', image.type); + ctx.set('Content-Type', FILE_TYPE_BROWSERSAFE.includes(image.type) ? image.type : 'application/octet-stream'); ctx.set('Cache-Control', 'max-age=31536000, immutable'); } catch (e) { serverLogger.error(`${e}`); @@ -112,14 +114,14 @@ export default async function(ctx: Koa.Context) { }).toString(); ctx.body = InternalStorage.read(key); - ctx.set('Content-Type', mime); + ctx.set('Content-Type', FILE_TYPE_BROWSERSAFE.includes(mime) ? mime : 'application/octet-stream'); ctx.set('Cache-Control', 'max-age=31536000, immutable'); ctx.set('Content-Disposition', contentDisposition('inline', filename)); } else { const readable = InternalStorage.read(file.accessKey!); readable.on('error', commonReadableHandlerGenerator(ctx)); ctx.body = readable; - ctx.set('Content-Type', file.type); + ctx.set('Content-Type', FILE_TYPE_BROWSERSAFE.includes(file.type) ? file.type : 'application/octet-stream'); ctx.set('Cache-Control', 'max-age=31536000, immutable'); ctx.set('Content-Disposition', contentDisposition('inline', file.name)); } diff --git a/packages/backend/src/server/proxy/proxy-media.ts b/packages/backend/src/server/proxy/proxy-media.ts index 9e13c0877f..aba08bb805 100644 --- a/packages/backend/src/server/proxy/proxy-media.ts +++ b/packages/backend/src/server/proxy/proxy-media.ts @@ -6,6 +6,7 @@ import { createTemp } from '@/misc/create-temp'; import { downloadUrl } from '@/misc/download-url'; import { detectType } from '@/misc/get-file-info'; import { StatusError } from '@/misc/fetch'; +import { FILE_TYPE_BROWSERSAFE } from '@/const'; export async function proxyMedia(ctx: Koa.Context) { const url = 'url' in ctx.query ? ctx.query.url : 'https://' + ctx.params.url; @@ -19,6 +20,7 @@ export async function proxyMedia(ctx: Koa.Context) { const { mime, ext } = await detectType(path); if (!mime.startsWith('image/')) throw 403; + if (!FILE_TYPE_BROWSERSAFE.includes(mime)) throw 403; let image: IImage; diff --git a/packages/backend/src/services/drive/add-file.ts b/packages/backend/src/services/drive/add-file.ts index ee4d51a96d..3d53fe8d34 100644 --- a/packages/backend/src/services/drive/add-file.ts +++ b/packages/backend/src/services/drive/add-file.ts @@ -20,6 +20,7 @@ import { isDuplicateKeyValueError } from '@/misc/is-duplicate-key-value-error'; import * as S3 from 'aws-sdk/clients/s3'; import { getS3 } from './s3'; import * as sharp from 'sharp'; +import { FILE_TYPE_BROWSERSAFE } from '@/const'; const logger = driveLogger.createSubLogger('register', 'yellow'); @@ -160,7 +161,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool } } - if (!['image/jpeg', 'image/png', 'image/webp'].includes(type)) { + if (!['image/jpeg', 'image/png', 'image/webp', 'image/svg+xml'].includes(type)) { logger.debug(`web image and thumbnail not created (not an required file)`); return { webpublic: null, @@ -201,7 +202,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool webpublic = await convertSharpToJpeg(img, 2048, 2048); } else if (['image/webp'].includes(type)) { webpublic = await convertSharpToWebp(img, 2048, 2048); - } else if (['image/png'].includes(type)) { + } else if (['image/png', 'image/svg+xml'].includes(type)) { webpublic = await convertSharpToPng(img, 2048, 2048); } else { logger.debug(`web image not created (not an required image)`); @@ -220,7 +221,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool try { if (['image/jpeg', 'image/webp'].includes(type)) { thumbnail = await convertSharpToJpeg(img, 498, 280); - } else if (['image/png'].includes(type)) { + } else if (['image/png', 'image/svg+xml'].includes(type)) { thumbnail = await convertSharpToPngOrJpeg(img, 498, 280); } else { logger.debug(`thumbnail not created (not an required file)`); @@ -241,6 +242,7 @@ export async function generateAlts(path: string, type: string, generateWeb: bool */ async function upload(key: string, stream: fs.ReadStream | Buffer, type: string, filename?: string) { if (type === 'image/apng') type = 'image/png'; + if (!FILE_TYPE_BROWSERSAFE.includes(type)) type = 'application/octet-stream'; const meta = await fetchMeta(); |