check image mime type

2022-04-04 10:31:08 +02:00 · 2022-04-04 10:31:08 +02:00 · 49c03b167e
commit 49c03b167e
parent 4d06d08a03
5 changed files with 36 additions and 23 deletions
--- a/src/db.ml
+++ b/src/db.ml
@ -23,10 +23,6 @@ let () =
  if Result.is_error (Db.exec set_foreign_keys_on ()) then
    Dream.error (fun log -> log "can't set foreign_keys on")

-(* TODO do image validation: length and MIME types with conan*)
-(* TODO do the same for text input: check length, forbidden chars and have a forbidden words filter*)
-let is_valid_image _content = true
-
 let () =
  let query =
    Caqti_request.exec Caqti_type.unit
@ -38,3 +34,31 @@ let () =
  | Error _e ->
    Format.eprintf "db error@\n";
    exit 1
+
+let mime_database = Conan.Process.database ~tree:Conan_light.tree
+
+let mime contents =
+  match Conan_string.run ~database:mime_database contents with
+  | Ok m -> Conan.Metadata.mime m
+  | Error _ -> None
+
+let clean_image image =
+  let name, alt, content = image in
+  let name =
+    match name with
+    | Some name -> Dream.html_escape name
+    | None ->
+      (* make up random name if no name was given *)
+      Uuidm.to_string (Uuidm.v4_gen random_state ())
+  in
+  if String.length name > 1000 then Error "Image name too long"
+  else if String.length alt > 1000 then Error "Image description too long"
+  else if String.length content > 4200000 then Error "Image size too big"
+  else
+    match mime content with
+    | None -> Error "invalid image type"
+    | Some mime -> (
+      match mime with
+      | "image/jpeg" | "image/png" | "image/webp" -> Ok (name, alt, content)
+      | _unsupported_mime_type ->
+        Error (Format.sprintf "unsupported image type: %s" mime) )