From bf42a925740a517aaa6dabb4a275daf0d65696b4 Mon Sep 17 00:00:00 2001
From: Flam3rboy <34555296+Flam3rboy@users.noreply.github.com>
Date: Sat, 25 Sep 2021 23:54:30 +0200
Subject: [PATCH] :lock: XSS content type: html

---
 cdn/src/routes/attachments.ts | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/cdn/src/routes/attachments.ts b/cdn/src/routes/attachments.ts
index 7c55998b..49ceb1b6 100644
--- a/cdn/src/routes/attachments.ts
+++ b/cdn/src/routes/attachments.ts
@@ -8,6 +8,13 @@ import imageSize from "image-size";
 
 const router = Router();
 
+const SANITIZED_CONTENT_TYPE = [
+	"text/html",
+	"text/mhtml",
+	"multipart/related",
+	"application/xhtml+xml",
+];
+
 router.post(
 	"/:channel_id",
 	multer.single("file"),
@@ -24,7 +31,8 @@ router.post(
 		const id = Snowflake.generate();
 		const path = `attachments/${channel_id}/${id}/${filename}`;
 
-		const endpoint = Config.get()?.cdn.endpoint || "http://localhost:3003";
+		const endpoint =
+			Config.get()?.cdn.endpointPublic || "http://localhost:3003";
 
 		await storage.set(path, buffer);
 		var width;
@@ -61,8 +69,13 @@ router.get(
 		);
 		if (!file) throw new HTTPError("File not found");
 		const type = await FileType.fromBuffer(file);
+		let content_type = type?.mime || "application/octet-stream";
 
-		res.set("Content-Type", type?.mime);
+		if (SANITIZED_CONTENT_TYPE.includes(content_type)) {
+			content_type = "application/octet-stream";
+		}
+
+		res.set("Content-Type", content_type);
 		res.set("Cache-Control", "public, max-age=31536000");
 
 		return res.send(file);