feat: add DISALLOWED_MIME_FOR_PASTE config

Author: SharzyL

src/handlers/handleRead.ts

@@ -115,12 +115,16 @@ export async function handleGet(request: Request, env: Env, ctx: ExecutionContex
   // check `if-modified-since`
   const pasteLastModifiedUnix = item.metadata.lastModifiedAtUnix
 
-  const inferred_mime =
+  let inferred_mime =
     url.searchParams.get("mime") ||
     (ext && mime.getType(ext)) ||
     (item.metadata.filename && mime.getType(item.metadata.filename)) ||
     "text/plain"
 
+  if (env.DISALLOWED_MIME_FOR_PASTE.includes(inferred_mime)) {
+    inferred_mime = "text/plain"
+  }
+
   const headerModifiedSince = request.headers.get("If-Modified-Since")
   if (headerModifiedSince) {
     const headerModifiedSinceUnix = Date.parse(headerModifiedSince) / 1000

test/controlHeaders.spec.ts

@@ -27,6 +27,10 @@ test("mime type", async () => {
 
   await testMime(url_pic, "image/jpeg;charset=UTF-8")
   await testMime(`${url_pic}.png`, "image/png;charset=UTF-8")
+
+  // test disallowed mimetypes
+  await testMime(`${url_pic}.html`, "text/plain;charset=UTF-8")
+  await testMime(`${url_pic}?mime=text/html`, "text/plain;charset=UTF-8")
 })
 
 test("cache control", async () => {

worker-configuration.d.ts

@@ -1,5 +1,5 @@
 /* eslint-disable */
-// Generated by Wrangler by running `wrangler types --strict-vars false` (hash: 5fae5e306236e45554810cfa6e71ce54)
+// Generated by Wrangler by running `wrangler types --strict-vars false` (hash: 6b22c42e567b3c204913f826b6198cca)
 // Runtime types generated with [email protected] 2025-04-24 
 declare namespace Cloudflare {
 	interface Env {
@@ -16,6 +16,7 @@ declare namespace Cloudflare {
 		BASIC_AUTH: object;
 		R2_THRESHOLD: string;
 		R2_MAX_ALLOWED: string;
+		DISALLOWED_MIME_FOR_PASTE: string[];
 		R2: R2Bucket;
 		ASSETS: Fetcher;
 	}

wrangler.toml

@@ -42,12 +42,12 @@ DEPLOY_URL = "https://shz.al"
 # url to repo, displayed in the index page
 REPO = "https://github.com/SharzyL/pastebin-worker"
 
-# the name displayed in TOS
-TOS_MAINTAINER = "Sharzy"
-
 # the page title displayed in index page
 INDEX_PAGE_TITLE = "Pastebin Worker"
 
+# the name displayed in TOS
+TOS_MAINTAINER = "Sharzy"
+
 # the email displayed in TOS
 TOS_MAIL = "[email protected]"
 
@@ -67,8 +67,11 @@ MAX_EXPIRATION = "30d"
 # Leave empty to disable auth
 BASIC_AUTH = {}
 
-# if file larger than this threshold, it will be stored in R2
+# Files larger than this threshold will be stored in R2
 R2_THRESHOLD = "100K"
 
-# file larger than this will be denied
+# File larger than this will be denied
 R2_MAX_ALLOWED = "100M"
+
+# The following mimetypes will be converted to text/plain
+DISALLOWED_MIME_FOR_PASTE = ["text/html"]