From 94e9e83e93722d3974920c8eb9eefbea2469e027 Mon Sep 17 00:00:00 2001
From: bytedream <me@bytedream.dev>
Date: Sat, 21 Jun 2025 21:54:01 +0200
Subject: [PATCH] check file size in server action

---
 src/actions/report.ts                  | 18 ++++++++++++++++--
 src/app/admin/reports/Reports.svelte   |  3 +--
 src/app/website/report/Dropzone.svelte |  5 +----
 src/util/media.ts                      |  2 ++
 4 files changed, 20 insertions(+), 8 deletions(-)
 create mode 100644 src/util/media.ts

diff --git a/src/actions/report.ts b/src/actions/report.ts
index c0a7f29..cf89067 100644
--- a/src/actions/report.ts
+++ b/src/actions/report.ts
@@ -3,11 +3,12 @@ import { Session } from '@util/session.ts';
 import { Permissions } from '@util/permissions.ts';
 import { db } from '@db/database.ts';
 import { z } from 'astro:schema';
-import { UPLOAD_PATH } from 'astro:env/server';
+import { MAX_UPLOAD_BYTES, UPLOAD_PATH } from 'astro:env/server';
 import fs from 'node:fs';
 import crypto from 'node:crypto';
 import path from 'node:path';
 import { sendWebhook, WebhookAction } from '@util/webhook.ts';
+import { allowedImageTypes, allowedVideoTypes } from '@util/media.ts';
 
 export const report = {
   submitReport: defineAction({
@@ -15,9 +16,22 @@ export const report = {
       urlHash: z.string(),
       reason: z.string(),
       body: z.string(),
-      files: z.array(z.instanceof(File)).nullable()
+      files: z
+        .array(
+          z
+            .instanceof(File)
+            .refine((f) => [...allowedImageTypes, ...allowedVideoTypes].findIndex((v) => v === f.type) !== -1)
+        )
+        .nullable()
     }),
     handler: async (input) => {
+      const fileSize = input.files?.reduce((prev, curr) => prev + curr.size, 0);
+      if (fileSize && fileSize > MAX_UPLOAD_BYTES) {
+        throw new ActionError({
+          code: 'BAD_REQUEST'
+        });
+      }
+
       const report = await db.getReportByUrlHash({ urlHash: input.urlHash });
       if (!report) {
         throw new ActionError({
diff --git a/src/app/admin/reports/Reports.svelte b/src/app/admin/reports/Reports.svelte
index 3715e58..2684f95 100644
--- a/src/app/admin/reports/Reports.svelte
+++ b/src/app/admin/reports/Reports.svelte
@@ -38,8 +38,7 @@
     { key: 'report.status?.status', label: 'Bearbeitungsstatus' }
   ]}
   onClick={(report) => (activeReport = report)}
->
-</DataTable>
+/>
 
 {#key activeReport}
   <BottomBar {strikeReasons} report={activeReport} />
diff --git a/src/app/website/report/Dropzone.svelte b/src/app/website/report/Dropzone.svelte
index e6426d4..18e983a 100644
--- a/src/app/website/report/Dropzone.svelte
+++ b/src/app/website/report/Dropzone.svelte
@@ -1,15 +1,12 @@
 <script lang="ts">
   import { popupState } from '@components/popup/Popup.ts';
+  import { allowedImageTypes, allowedVideoTypes } from '@util/media.ts';
 
   // bindings
   let containerElem: HTMLDivElement;
   let hiddenFileInputElem: HTMLInputElement;
   let previewDialogElem: HTMLDialogElement;
 
-  // consts
-  const allowedImageTypes = ['image/png', 'image/jpeg', 'image/webp', 'image/avif'];
-  const allowedVideoTypes = ['video/mp4', 'video/webm'];
-
   // types
   interface Props {
     maxFilesBytes: number;
diff --git a/src/util/media.ts b/src/util/media.ts
new file mode 100644
index 0000000..7541df0
--- /dev/null
+++ b/src/util/media.ts
@@ -0,0 +1,2 @@
+export const allowedImageTypes = ['image/png', 'image/jpeg', 'image/webp', 'image/avif'];
+export const allowedVideoTypes = ['video/mp4', 'video/webm'];