restrict file upload to certain types

2026-01-01 04:10:06 -05:00 · 2025-01-18 09:22:29 +01:00
parent 36e83a9d01
commit 3e37d11c6a
2 changed files with 30 additions and 0 deletions
--- a/cookbook/helper/image_processing.py
+++ b/cookbook/helper/image_processing.py
@@ -35,6 +35,20 @@ def get_filetype(name):
        return '.jpeg'


+def is_file_type_allowed(filename, image_only=False):
+    is_file_allowed = False
+    allowed_file_types = ['.pdf','.docx', '.xlsx']
+    allowed_image_types = ['.png', '.jpg', '.jpeg']
+    check_list = allowed_image_types
+    if not image_only:
+        check_list += allowed_file_types
+
+    for file_type in check_list:
+        if filename.endswith(file_type):
+            is_file_allowed = True
+
+    return is_file_allowed
+
 # TODO this whole file needs proper documentation, refactoring, and testing
 # TODO also add env variable to define which images sizes should be compressed
 # filetype argument can not be optional, otherwise this function will treat all images as if they were a jpeg
--- a/cookbook/serializer.py
+++ b/cookbook/serializer.py
@@ -22,6 +22,7 @@ from rest_framework.fields import IntegerField

 from cookbook.helper.CustomStorageClass import CachedS3Boto3Storage
 from cookbook.helper.HelperFunctions import str2bool
+from cookbook.helper.image_processing import is_file_type_allowed
 from cookbook.helper.permission_helper import above_space_limit
 from cookbook.helper.property_helper import FoodPropertyHelper
 from cookbook.helper.shopping_helper import RecipeShoppingEditor
@@ -233,12 +234,17 @@ class UserFileSerializer(serializers.ModelSerializer):
                raise ValidationError(_('You have reached your file upload limit.'))

    def create(self, validated_data):
+        if not is_file_type_allowed(validated_data['file'].name):
+            return None
+
        self.check_file_limit(validated_data)
        validated_data['created_by'] = self.context['request'].user
        validated_data['space'] = self.context['request'].space
        return super().create(validated_data)

    def update(self, instance, validated_data):
+        if not is_file_type_allowed(validated_data['file'].name):
+            return None
        self.check_file_limit(validated_data)
        return super().update(instance, validated_data)

@@ -958,6 +964,16 @@ class RecipeImageSerializer(WritableNestedModelSerializer):
    image = serializers.ImageField(required=False, allow_null=True)
    image_url = serializers.CharField(max_length=4096, required=False, allow_null=True)

+    def create(self, validated_data):
+        if not is_file_type_allowed(validated_data['image'].name, image_only=True):
+            return None
+        return super().create( validated_data)
+
+    def update(self, instance, validated_data):
+        if not is_file_type_allowed(validated_data['image'].name, image_only=True):
+            return None
+        return super().update(instance, validated_data)
+
    class Meta:
        model = Recipe
        fields = ['image', 'image_url', ]