我晒左少少時間寫左個middleware將佢拒之門外。
原理好簡單,檢查email入面既.zip附件有冇.js檔,有就reject。
var tryGetZipBufferFromBase64 = function (buffer) {
try {
var lines = buffer.toString().split('\n');
if (lines[1].indexOf('Content-Transfer-Encoding') !== -1 && lines[1].indexOf('base64') !== -1) {
return new Buffer(lines.slice(3).join(''), 'base64');
}
} catch (e) {
console.log(e);
}
return buffer;
};
var checkForThatVirus = function (req, res, next) {
if (!req.files) return next();
console.log('Checking for virus...');
Async.map(req.files, function (zip, callback) {
var buffer = tryGetZipBufferFromBase64(zip.buffer);
var bufferStream = new stream.PassThrough();
var hasError;
var zipHasJS;
bufferStream.end(buffer);
bufferStream.pipe(unzip.Parse()).on('entry', function (entry) {
var splitted = entry.path.split('.');
entry.autodrain();
zipHasJS |= splitted[splitted.length - 1].toLowerCase() === 'js';
}).on('error', function (err) {
hasError = !(!err);
});
// Fuck this shit
setTimeout(function () {
if (hasError) return callback(null, false);
callback(null, zipHasJS);
}, 1000);
}, function (err, results) {
if (err) throw err;
var hasJS = false;
results.forEach(function (result) {
hasJS |= result;
});
if (!hasJS) return next();
console.log('Mail dropped: at least a .js in one of .zip file');
res.send('Mail dropped: at least a .js in one of .zip file');
});
};