From 3ae229a275cd0818b4a48e88115b0b38371d846f Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Mon, 28 Apr 2025 21:13:15 +0200
Subject: [PATCH] Enforce mimetype check on backend

---
 .../src/controllers/files_controller.rs          | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/moneymgr_backend/src/controllers/files_controller.rs b/moneymgr_backend/src/controllers/files_controller.rs
index d572029..7c7c721 100644
--- a/moneymgr_backend/src/controllers/files_controller.rs
+++ b/moneymgr_backend/src/controllers/files_controller.rs
@@ -1,4 +1,5 @@
 use crate::controllers::HttpResult;
+use crate::controllers::server_controller::ServerConstraints;
 use crate::extractors::auth_extractor::AuthExtractor;
 use crate::extractors::file_extractor::FileExtractor;
 use crate::extractors::file_id_extractor::FileIdExtractor;
@@ -12,6 +13,21 @@ use std::time::Duration;
 
 /// Upload a new file
 pub async fn upload(auth: AuthExtractor, file: FileExtractor) -> HttpResult {
+    // Check file mimetype
+    if !ServerConstraints::default()
+        .file_allowed_types
+        .contains(&file.mime.as_ref())
+    {
+        log::error!(
+            "User attempted to upload a file with invalid mimetype! {}",
+            file.mime
+        );
+        return Ok(HttpResponse::BadRequest().body(format!(
+            "Files with mimetype {} cannot be uploaded!",
+            file.mime
+        )));
+    }
+
     let file = files_service::create_file_with_mimetype(
         auth.user_id(),
         &file.name(),