Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-30 18:46:01 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: use req.ip instead, since guests can upload as well

Browse Source
This commit is contained in:
psychobunny
2021-04-18 19:19:52 -04:00
committed by Andrew Rodrigues
parent a9978fcfd2
commit ea22cd302a
2 changed files with 13 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/middleware/uploads.js
View File

@@ -4,7 +4,6 @@ const LRU = require('lru-cache');
const meta = require('../meta'); const meta = require('../meta');
const helpers = require('./helpers'); const helpers = require('./helpers');
const user = require('../user'); const user = require('../user');
const controllerHelpers = require('../controllers/helpers');
const cache = new LRU({ const cache = new LRU({
maxAge: meta.config.uploadRateLimitThreshold * 1000, maxAge: meta.config.uploadRateLimitThreshold * 1000,
@@ -13,20 +12,16 @@ const cache = new LRU({
module.exports = function (middleware) { module.exports = function (middleware) {
middleware.ratelimitUploads = helpers.try(async (req, res, next) => { middleware.ratelimitUploads = helpers.try(async (req, res, next) => {
const { uid } = req; const { uid } = req;
if (!uid) { if (!meta.config.uploadRateLimitThreshold || uid && await user.isAdminOrGlobalMod(uid)) {
return controllerHelpers.notAllowed(req, res);
}
if (!meta.config.uploadRateLimitThreshold || await user.isAdminOrGlobalMod(req.uid)) {
return next(); return next();
} }
const count = (cache.peek(`${uid}:uploaded_file_count`) || 0) + req.files.files.length; const count = (cache.peek(`${req.ip}:uploaded_file_count`) || 0) + req.files.files.length;
if (count > meta.config.uploadRateLimitThreshold) { if (count > meta.config.uploadRateLimitThreshold) {
return next(new Error(['[[error:upload-ratelimit-reached]]'])); return next(new Error(['[[error:upload-ratelimit-reached]]']));
} }
cache.set(`${uid}:uploaded_file_count`, count); cache.set(`${req.ip}:uploaded_file_count`, count);
next(); next();
}); });
}; };

10
test/uploads.js
View File

@@ -151,6 +151,16 @@ describe('Upload Controllers', () => {
}); });
}); });
it('should fail to upload image to post if image is broken', (done) => {
helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/brokenimage.png'), {}, jar, csrf_token, (err, res, body) => {
assert.ifError(err);
assert.strictEqual(res.statusCode, 500);
assert(body && body.status && body.status.message);
assert(body.status.message.startsWith('Input file has corrupt header: pngload: end of stream'));
done();
});
});
it('should fail to upload image to post if image dimensions are too big', (done) => { it('should fail to upload image to post if image dimensions are too big', (done) => {
helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/toobig.jpg'), {}, jar, csrf_token, (err, res, body) => { helpers.uploadFile(`${nconf.get('url')}/api/post/upload`, path.join(__dirname, '../test/files/toobig.jpg'), {}, jar, csrf_token, (err, res, body) => {
assert.ifError(err); assert.ifError(err);