From feb2ca126f50d9642c08ce7800259b49b9ecb0db Mon Sep 17 00:00:00 2001 From: KernelDeimos Date: Mon, 17 Feb 2025 10:15:27 -0500 Subject: [PATCH] dev: validate attachments --- .../src/modules/mail/UserSendMailService.js | 27 ++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) diff --git a/src/backend/src/modules/mail/UserSendMailService.js b/src/backend/src/modules/mail/UserSendMailService.js index 5b54edcf9..f152c4c48 100644 --- a/src/backend/src/modules/mail/UserSendMailService.js +++ b/src/backend/src/modules/mail/UserSendMailService.js @@ -86,7 +86,32 @@ class UserSendMailService extends BaseService { [encoding === 'html' ? 'html' : 'text']: body, }; - for ( const attachment of attachments ) { + for ( let i=0 ; i < attachments.length ; i++ ) { + const attachment = attachments[i]; + + // Validation + // TODO: JSON schema might be better for this actually + if ( ! attachment.path && ! attachment.content ) { + throw APIError.create('xor_field_missing', null, { + names: [ + `attachments[${i}].path`, + `attachments[${i}].content` + ], + }); + } + if ( ! attachment.filename ) { + throw APIError.create('field_missing', null, { + key: `attachments[${i}].filename`, + }); + } + if ( typeof attachment.filename !== 'string' ) { + throw APIError.create('field_invalid', null, { + key: `attachments[${i}].filename`, + expected: 'string', + got: typeof attachment.filename, + }); + } + if ( attachment.path ) { const svc_fs = this.services.get('filesystem'); const node = await svc_fs.node(attachment.path);