k1nq/TREK
1
0
Fork 0
mirror of https://github.com/mauriceboe/TREK.git synced 2026-06-21 06:11:45 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: validate image-only uploads and respect allowed_file_types setting for journey photos

Browse Source 
Add fileFilter to the journey photo multer config (shared by entry photo
upload and gallery upload routes):
- Rejects any non-image MIME type (including SVG which carries XSS risk)
- Checks the extension against the admin-configured allowed_file_types setting
  (same getAllowedExtensions() used by the trip file upload route)
- Returns HTTP 400 with a descriptive message on rejection

Also fix the global error handler to return err.message for 4xx responses
instead of the generic 'Internal server error', so fileFilter rejections
produce a readable error on the client.
This commit is contained in:
jubnl
2026-04-22 16:16:35 +02:00
parent ed7e2badca
commit 82cce365f7
2 changed files with 22 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/src/app.ts
+4 -2
View File
@@ -372,8 +372,10 @@ export function createApp(): express.Application {
} else {
console.error('Unhandled error:', err);
}
const status = err.statusCode || 500;
res.status(status).json({ error: 'Internal server error' });
const status = err.statusCode || err.status || 500;
// Expose the message for client errors (4xx); keep 'Internal server error' for 5xx.
const message = status < 500 ? err.message : 'Internal server error';
res.status(status).json({ error: message });
});
return app;