chore(etapi): enforce MIME for image upload

This commit is contained in:
Elian Doran
2026-04-05 10:44:47 +03:00
parent fc1be0d23d
commit 2432e230c5

View File

@@ -66,6 +66,11 @@ function register(router: Router) {
eu.validateAndPatch(_params, req.body, ALLOWED_PROPERTIES_FOR_CREATE_NOTE);
const params = _params as NoteParams;
// Validate MIME type for image notes
if (params.type === "image" && params.mime && !params.mime.startsWith("image/")) {
throw new eu.EtapiError(400, "INVALID_MIME_FOR_IMAGE", `MIME type '${params.mime}' is not allowed for image notes. MIME must start with 'image/'.`);
}
try {
const resp = noteService.createNewNote(params);
@@ -93,6 +98,13 @@ function register(router: Router) {
throw new eu.EtapiError(400, "NOTE_IS_PROTECTED", `Note '${req.params.noteId}' is protected and cannot be modified through ETAPI.`);
}
// Validate MIME type for image notes (check both current and new type/mime)
const effectiveType = req.body.type || note.type;
const effectiveMime = req.body.mime || note.mime;
if (effectiveType === "image" && effectiveMime && !effectiveMime.startsWith("image/")) {
throw new eu.EtapiError(400, "INVALID_MIME_FOR_IMAGE", `MIME type '${effectiveMime}' is not allowed for image notes. MIME must start with 'image/'.`);
}
noteService.saveRevisionIfNeeded(note);
eu.validateAndPatch(note, req.body, ALLOWED_PROPERTIES_FOR_PATCH);
note.save();