mirror of
https://github.com/zadam/trilium.git
synced 2026-07-04 09:19:39 +02:00
chore(etapi): enforce MIME for image upload
This commit is contained in:
@@ -66,6 +66,11 @@ function register(router: Router) {
|
||||
eu.validateAndPatch(_params, req.body, ALLOWED_PROPERTIES_FOR_CREATE_NOTE);
|
||||
const params = _params as NoteParams;
|
||||
|
||||
// Validate MIME type for image notes
|
||||
if (params.type === "image" && params.mime && !params.mime.startsWith("image/")) {
|
||||
throw new eu.EtapiError(400, "INVALID_MIME_FOR_IMAGE", `MIME type '${params.mime}' is not allowed for image notes. MIME must start with 'image/'.`);
|
||||
}
|
||||
|
||||
try {
|
||||
const resp = noteService.createNewNote(params);
|
||||
|
||||
@@ -93,6 +98,13 @@ function register(router: Router) {
|
||||
throw new eu.EtapiError(400, "NOTE_IS_PROTECTED", `Note '${req.params.noteId}' is protected and cannot be modified through ETAPI.`);
|
||||
}
|
||||
|
||||
// Validate MIME type for image notes (check both current and new type/mime)
|
||||
const effectiveType = req.body.type || note.type;
|
||||
const effectiveMime = req.body.mime || note.mime;
|
||||
if (effectiveType === "image" && effectiveMime && !effectiveMime.startsWith("image/")) {
|
||||
throw new eu.EtapiError(400, "INVALID_MIME_FOR_IMAGE", `MIME type '${effectiveMime}' is not allowed for image notes. MIME must start with 'image/'.`);
|
||||
}
|
||||
|
||||
noteService.saveRevisionIfNeeded(note);
|
||||
eu.validateAndPatch(note, req.body, ALLOWED_PROPERTIES_FOR_PATCH);
|
||||
note.save();
|
||||
|
||||
Reference in New Issue
Block a user