From 3e37d11c6a3841a00eb27670d1d003f1a713e1cf Mon Sep 17 00:00:00 2001
From: vabene1111 <vabene1234@googlemail.com>
Date: Sat, 18 Jan 2025 09:22:29 +0100
Subject: [PATCH] restrict file upload to certain types

---
 cookbook/helper/image_processing.py | 14 ++++++++++++++
 cookbook/serializer.py              | 16 ++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/cookbook/helper/image_processing.py b/cookbook/helper/image_processing.py
index 06d022d70..1a9600ba1 100644
--- a/cookbook/helper/image_processing.py
+++ b/cookbook/helper/image_processing.py
@@ -35,6 +35,20 @@ def get_filetype(name):
         return '.jpeg'
 
 
+def is_file_type_allowed(filename, image_only=False):
+    is_file_allowed = False
+    allowed_file_types = ['.pdf','.docx', '.xlsx']
+    allowed_image_types = ['.png', '.jpg', '.jpeg']
+    check_list = allowed_image_types
+    if not image_only:
+        check_list += allowed_file_types
+
+    for file_type in check_list:
+        if filename.endswith(file_type):
+            is_file_allowed = True
+
+    return is_file_allowed
+
 # TODO this whole file needs proper documentation, refactoring, and testing
 # TODO also add env variable to define which images sizes should be compressed
 # filetype argument can not be optional, otherwise this function will treat all images as if they were a jpeg
diff --git a/cookbook/serializer.py b/cookbook/serializer.py
index 1bdbbad6f..90108e6a4 100644
--- a/cookbook/serializer.py
+++ b/cookbook/serializer.py
@@ -22,6 +22,7 @@ from rest_framework.fields import IntegerField
 
 from cookbook.helper.CustomStorageClass import CachedS3Boto3Storage
 from cookbook.helper.HelperFunctions import str2bool
+from cookbook.helper.image_processing import is_file_type_allowed
 from cookbook.helper.permission_helper import above_space_limit
 from cookbook.helper.property_helper import FoodPropertyHelper
 from cookbook.helper.shopping_helper import RecipeShoppingEditor
@@ -233,12 +234,17 @@ class UserFileSerializer(serializers.ModelSerializer):
                 raise ValidationError(_('You have reached your file upload limit.'))
 
     def create(self, validated_data):
+        if not is_file_type_allowed(validated_data['file'].name):
+            return None
+
         self.check_file_limit(validated_data)
         validated_data['created_by'] = self.context['request'].user
         validated_data['space'] = self.context['request'].space
         return super().create(validated_data)
 
     def update(self, instance, validated_data):
+        if not is_file_type_allowed(validated_data['file'].name):
+            return None
         self.check_file_limit(validated_data)
         return super().update(instance, validated_data)
 
@@ -958,6 +964,16 @@ class RecipeImageSerializer(WritableNestedModelSerializer):
     image = serializers.ImageField(required=False, allow_null=True)
     image_url = serializers.CharField(max_length=4096, required=False, allow_null=True)
 
+    def create(self, validated_data):
+        if not is_file_type_allowed(validated_data['image'].name, image_only=True):
+            return None
+        return super().create( validated_data)
+
+    def update(self, instance, validated_data):
+        if not is_file_type_allowed(validated_data['image'].name, image_only=True):
+            return None
+        return super().update(instance, validated_data)
+
     class Meta:
         model = Recipe
         fields = ['image', 'image_url', ]