Software: Apache. PHP/8.1.30 uname -a: Linux server1.tuhinhossain.com 5.15.0-163-generic #173-Ubuntu SMP Tue Oct 14 17:51:00 UTC uid=1002(picotech) gid=1003(picotech) groups=1003(picotech),0(root) Safe-mode: OFF (not secure) /home/picotech/domains/rentals.picotech.app/public_html/server/middleware/ drwxr-xr-x | |
| Viewing file: Select action/file-type: import multer from 'multer';
import path from 'path';
import fs from 'fs';
import { v4 as uuidv4 } from 'uuid';
import { fileURLToPath } from 'url';
import { fileTypeFromBuffer } from 'file-type';
const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
// Ensure upload directory exists
const uploadDir = path.join(__dirname, '../../uploads');
if (!fs.existsSync(uploadDir)) {
fs.mkdirSync(uploadDir, { recursive: true });
}
// Sanitize filename to prevent path traversal and other attacks
const sanitizeFilename = (filename) => {
// Remove path separators and null bytes
let sanitized = filename.replace(/[\/\\.\0]/g, '_');
// Remove any non-alphanumeric characters except dash, underscore, and dot
sanitized = sanitized.replace(/[^a-zA-Z0-9\-_\.]/g, '');
// Limit length
sanitized = sanitized.substring(0, 100);
return sanitized || 'file';
};
const storage = multer.diskStorage({
destination: (req, file, cb) => {
const fullPath = uploadDir;
if (!fs.existsSync(fullPath)) {
fs.mkdirSync(fullPath, { recursive: true });
}
cb(null, fullPath);
},
filename: (req, file, cb) => {
const sanitizedOriginal = sanitizeFilename(file.originalname);
const ext = path.extname(sanitizedOriginal);
const basename = path.basename(sanitizedOriginal, ext);
const uniqueName = `${basename}-${uuidv4()}-${Date.now()}${ext}`;
cb(null, uniqueName);
}
});
// Enhanced file filter with magic number validation
const fileFilter = async (req, file, cb) => {
try {
// Allowed MIME types
const allowedMimeTypes = [
'image/jpeg',
'image/jpg',
'image/png',
'image/gif',
'application/pdf',
'application/msword',
'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
];
// Allowed extensions
const allowedExtensions = /jpeg|jpg|png|gif|pdf|doc|docx/;
const extname = allowedExtensions.test(path.extname(file.originalname).toLowerCase());
const mimetype = allowedMimeTypes.includes(file.mimetype);
if (!mimetype || !extname) {
return cb(new Error('Invalid file type. Only images (JPEG, PNG, GIF) and documents (PDF, DOC, DOCX) are allowed.'));
}
// Additional check: prevent executable files
const dangerousExtensions = /exe|bat|cmd|sh|dll|so|dylib|app|deb|rpm|msi|jar|js|vbs|ps1/i;
if (dangerousExtensions.test(path.extname(file.originalname))) {
return cb(new Error('Executable files are not allowed.'));
}
cb(null, true);
} catch (error) {
cb(new Error('File validation failed.'));
}
};
// Validate file content using magic numbers (called after upload)
export const validateFileContent = async (filePath) => {
try {
const buffer = fs.readFileSync(filePath);
const fileType = await fileTypeFromBuffer(buffer);
if (!fileType) {
// If we can't detect the type, it might be a text file (like some PDFs)
// Allow it but log for monitoring
console.warn('Could not detect file type for:', filePath);
return true;
}
const allowedMimeTypes = [
'image/jpeg',
'image/png',
'image/gif',
'application/pdf',
'application/msword',
'application/vnd.openxmlformats-officedocument.wordprocessingml.document'
];
if (!allowedMimeTypes.includes(fileType.mime)) {
fs.unlinkSync(filePath); // Delete the malicious file
return false;
}
return true;
} catch (error) {
console.error('File content validation error:', error);
return false;
}
};
const upload = multer({
storage,
limits: {
fileSize: parseInt(process.env.MAX_FILE_SIZE) || 10 * 1024 * 1024, // 10MB default
files: 10, // Maximum 10 files per request
},
fileFilter
});
export default upload; |
:: Command execute :: | |
--[ c99shell v. 2.5 [PHP 8 Update] [24.05.2025] | Generation time: 0.0039 ]-- |