Merge pull request #22 from Onestay/onestay

added array with blocked file extensions

config.sample.js

@@ -4,7 +4,6 @@ module.exports = {
 		If set to true the user will need to specify the auto-generated token
 		on each API call, meaning random strangers wont be able to use the service
 		unless they have the token loli-safe provides you with.
-
 		If it's set to false, then upload will be public for anyone to use.
 	*/
 	private: true,
@@ -34,6 +33,14 @@ module.exports = {
 	// Pages to process for the frontend
 	pages: ['home', 'auth', 'dashboard', 'faq'],
 
+	// Add file extensions here which should be blocked
+	blockedExtensions: [
+		'.exe',
+		'.bat',
+		'.cmd',
+		'.msi'
+	],
+
 	// Uploads config
 	uploads: {
 

controllers/uploadController.js

@@ -20,7 +20,13 @@ const storage = multer.diskStorage({
 
 const upload = multer({
 	storage: storage,
-	limits: { fileSize: config.uploads.maxSize }
+	limits: { fileSize: config.uploads.maxSize },
+	fileFilter: function(req, file, cb) {
+		if (config.blockedExtensions.some((extension) => { return path.extname(file.originalname) === extension; })) {
+			return cb('This file extension is not allowed');
+		}
+		return cb(null, true);
+	}
 }).array('files[]')
 
 uploadsController.upload = function(req, res, next) {