Whitelist for preview files from the backend (#1651)

This PR adds a whitelist of safe files to download with `Content-Disposition: inline;` from the backend, all other files will be force download via `Content-Disposition: attachment;` existing svg files will still be rendered in a secure way via the html `image` tag. reference: https://digi.ninja/blog/svg_xss.php Signed-off-by: Lenin Alevski <alevsk.8772@gmail.com>
2022-03-02 12:18:43 -08:00
parent 20ba19affc
commit 26d5972ab5
3 changed files with 47 additions and 4 deletions
--- a/restapi/utils.go
+++ b/restapi/utils.go
@@ -144,3 +144,46 @@ func ExpireSessionCookie() http.Cookie {
 func SanitizeEncodedPrefix(rawPrefix string) string {
 	return strings.Replace(rawPrefix, " ", "+", -1)
 }
+
+var safeMimeTypes = []string{
+	"image/jpeg",
+	"mage/apng",
+	"image/avif",
+	"image/webp",
+	"image/bmp",
+	"image/x-icon",
+	"image/gif",
+	"image/png",
+	"image/heic",
+	"image/heif",
+	"application/pdf",
+	"text/plain",
+	"application/json",
+	"audio/wav",
+	"audio/mpeg",
+	"audio/aiff",
+	"audio/dsd",
+	"video/mp4",
+	"video/x-msvideo",
+	"video/mpeg",
+	"audio/webm",
+	"video/webm",
+	"video/quicktime",
+	"video/x-flv",
+	"audio/x-matroska",
+	"video/x-matroska",
+	"video/x-ms-wmv",
+	"application/metastream",
+	"video/avchd-stream",
+	"audio/mp4",
+	"video/mp4",
+}
+
+func isSafeToPreview(str string) bool {
+	for _, v := range safeMimeTypes {
+		if v == str {
+			return true
+		}
+	}
+	return false
+}