regalijan/car-crushers-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce submission type in upload endpoint

Browse Source
This commit is contained in:
Regalijan
2025-07-27 00:25:59 -04:00
parent 451d1c93d4
commit f9d9bdbac6
1 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
functions/api/reports/submit.ts
View File

@ -2,8 +2,14 @@ import { jsonError, jsonResponse } from "../../common.js";
import upload from "../../upload.js"; import upload from "../../upload.js";
export async function onRequestPost(context: RequestContext) { export async function onRequestPost(context: RequestContext) {
const { description, files, senderTokenId, turnstileResponse, usernames } = const {
context.data.body; description,
files,
senderTokenId,
submissionType,
turnstileResponse,
usernames,
} = context.data.body;
if (!context.data.current_user) { if (!context.data.current_user) {
if (typeof turnstileResponse !== "string") if (typeof turnstileResponse !== "string")
@ -32,6 +38,9 @@ export async function onRequestPost(context: RequestContext) {
if (!Array.isArray(usernames)) if (!Array.isArray(usernames))
return jsonError("Usernames must be type of array", 400); return jsonError("Usernames must be type of array", 400);
if (!["abuse", "exploit"].includes(submissionType))
return jsonError("Invalid submission type", 400);
if ( if (
!["string", "undefined"].includes(typeof description) || !["string", "undefined"].includes(typeof description) ||
description?.length > 512 description?.length > 512
@ -131,7 +140,19 @@ export async function onRequestPost(context: RequestContext) {
if ( if (
fileParts.length < 2 || fileParts.length < 2 ||
!["mkv", "mp4", "wmv", "m4v", "gif", "webm"].includes(fileExten) ![
"avif",
"gif",
"jpeg",
"jpg",
"m4v",
"mkv",
"mp4",
"png",
"webm",
"webp",
"wmv",
].includes(fileExten)
) )
return jsonError( return jsonError(
`File ${file.name} cannot be uploaded as it is unsupported`, `File ${file.name} cannot be uploaded as it is unsupported`,
@ -196,7 +217,7 @@ export async function onRequestPost(context: RequestContext) {
} }
await context.env.D1.prepare( await context.env.D1.prepare(
"INSERT INTO reports (attachments, created_at, id, open, target_ids, target_usernames, user) VALUES (?, ?, ?, 1, ?, ?, ?);", "INSERT INTO reports (attachments, created_at, id, open, target_ids, target_usernames, type, user) VALUES (?, ?, ?, 1, ?, ?, ?, ?);",
) )
.bind( .bind(
JSON.stringify(attachments), JSON.stringify(attachments),
@ -204,6 +225,7 @@ export async function onRequestPost(context: RequestContext) {
reportId, reportId,
JSON.stringify(metaIDs), JSON.stringify(metaIDs),
JSON.stringify(metaNames), JSON.stringify(metaNames),
submissionType,
currentUser ? JSON.stringify(currentUser) : null, currentUser ? JSON.stringify(currentUser) : null,
) )
.run(); .run();