Skip to content

Limit image file types and avoid encoding sensitive data in file path #354

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
PGijsbers wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Limit image file types and avoid encoding sensitive data in file path #354

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1cb5fda
Limit profile image file types to webp, jp(e)g, and png
PGijsbers Aug 23, 2025
7395dfd
Prevent profile paths from having potentially sensitive information
PGijsbers Aug 23, 2025
8bc8b8a
Restrict to just jpg for now
PGijsbers Aug 23, 2025
717235e
Only look at the last extension
PGijsbers Aug 26, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion server/src/client/app/src/pages/auth/Profile.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -189,7 +189,7 @@ function Public() {
<CenteredContent>
<BigAvatar alt="User Image" id="dp" src={image} />
<input
accept="image/*"
accept="image/jpeg, image/jpg"
style={{ display: "none" }}
id="image"
multiple
Expand Down
34 changes: 28 additions & 6 deletions server/user/views.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
import os
import secrets
import uuid
from distutils.util import strtobool
from http import HTTPStatus
from urllib.parse import parse_qs, urlparse

from flask import Blueprint, jsonify, request, send_from_directory, abort, Response
Expand Down Expand Up @@ -31,6 +33,7 @@

blocklist = set()

ALLOWED_IMAGE_EXTENSIONS = ["jpg", "jpeg"]

@jwt.token_in_blocklist_loader
def check_if_token_in_blocklist(jwt_header, decrypted_token):
Expand Down Expand Up @@ -138,18 +141,37 @@ def verifytoken():
@jwt_required()
def image():
"""Function to receive and set user image"""
if "file" not in request.files:
return jsonify({"msg": "No image file supplied"}), HTTPStatus.BAD_REQUEST
file_name = request.files["file"].filename
if '.' not in file_name or (file_extension := file_name.rsplit('.', 1)[1].casefold()) not in ALLOWED_IMAGE_EXTENSIONS:
return jsonify({"msg": "Images of this file type are not supported"}), HTTPStatus.UNSUPPORTED_MEDIA_TYPE

current_user = get_jwt_identity()
previous_image = None
with Session() as session:
user = session.query(User).filter_by(username=current_user).first()
previous_image = getattr(user, "image", None)

f = request.files["file"]
Path("dev_data/" + str(user.username)).mkdir(parents=True, exist_ok=True)
f.save(
os.path.join("dev_data/" + str(user.username) + "/", secure_filename(f.filename))
)
path = "imgs/dev_data/" + str(user.username) + "/" + secure_filename(f.filename)
user.update_image_address(path)

file_directory = Path("dev_data/" + str(user.id))
file_directory.mkdir(parents=True, exist_ok=True)

new_file_name = secure_filename(f.filename)
if not new_file_name:
new_file_name = uuid.uuid4().hex + file_extension

new_file_path = file_directory / new_file_name

f.save(new_file_path)
user.update_image_address(new_file_path)
session.merge(user)
session.commit()

if previous_image and Path(previous_image).exists():
Path(previous_image).unlink()

return jsonify({"msg": "User image changed"}), 200


Expand Down