Initial

2025-01-04 00:34:03 +01:00
parent 41829408dc
commit 0ca14bbc19
18111 changed files with 1871397 additions and 0 deletions
--- a/resources/app/node_modules/express-fileupload/lib/isEligibleRequest.js
+++ b/resources/app/node_modules/express-fileupload/lib/isEligibleRequest.js
@@ -0,0 +1,46 @@
+const ACCEPTABLE_CONTENT_TYPE = /^multipart\/[\w'"()+-_?/:=,.]+(?:; ?[\w'"()+-_?/:=,.]*)+$/i;
+const UNACCEPTABLE_METHODS = new Set(['GET', 'HEAD', 'DELETE', 'OPTIONS', 'CONNECT', 'TRACE']);
+
+/**
+ * Ensures the request contains a content body
+ * @param  {Object} req Express req object
+ * @returns {Boolean}
+ */
+const hasBody = (req) => {
+  return ('transfer-encoding' in req.headers) ||
+    ('content-length' in req.headers && req.headers['content-length'] !== '0');
+};
+
+/**
+ * Ensures the request is not using a non-compliant multipart method
+ * such as GET or HEAD
+ * @param  {Object} req Express req object
+ * @returns {Boolean}
+ */
+const hasAcceptableMethod = (req) => !UNACCEPTABLE_METHODS.has(req.method);
+
+/**
+ * Ensures that only multipart requests are processed by express-fileupload
+ * ACCEPTABLE_CONTENT_TYPE REgex is based on the RFC 2046
+ * Validates special characters according to RFC 2046, section 5.1.1: '"()+_-=?/:
+ * Also checks for the presence of boundary in the header.
+ * @param  {Object}  req Express req object
+ * @returns {Boolean}
+ */
+const hasAcceptableContentType = (req) => {
+  const contType = req.headers['content-type'];
+  return contType.includes('boundary=') && ACCEPTABLE_CONTENT_TYPE.test(contType);
+};
+
+/**
+ * Ensures that the request in question is eligible for file uploads
+ * @param {Object} req Express req object
+ * @returns {Boolean}
+ */
+module.exports = (req) => {
+  try {
+    return hasBody(req) && hasAcceptableMethod(req) && hasAcceptableContentType(req);
+  } catch (e) {
+    return false;
+  }
+};