try to harden image seeding

Author: appinteractive

package.json

@@ -5,8 +5,8 @@
   "homepage": "https://human-connection.org",
   "license": "CC-BY-NC-SA-4.0",
   "repository": {
-    "type" : "git",
-    "url" : "https://github.com/Human-Connection/API.git"
+    "type": "git",
+    "url": "https://github.com/Human-Connection/API.git"
   },
   "main": "server",
   "keywords": [
@@ -21,8 +21,8 @@
   },
   "contributors": [],
   "bugs": {
-    "url" : "https://github.com/Human-Connection/API/issues",
-    "email" : "[email protected]"
+    "url": "https://github.com/Human-Connection/API/issues",
+    "email": "[email protected]"
   },
   "directories": {
     "lib": "server",
@@ -78,6 +78,7 @@
     "handlebars-layouts": "~3.1.4",
     "helmet": "~3.10.0",
     "html-excerpt": "~0.1.0",
+    "mime": "^2.2.0",
     "mongoose": "~4.13.2",
     "multer": "~1.3.0",
     "node-sass": "~4.7.2",

server/hooks/save-remote-images.js

@@ -6,11 +6,12 @@ const fs = require('fs');
 const path = require('path');
 const request = require('request');
 const faker = require('faker');
+const mime = require('mime/lite');
 
 module.exports = function (options = []) { // eslint-disable-line no-unused-vars
   return function async (hook) {
 
-    return new Promise((resolve) => {
+    return new Promise((resolve, reject) => {
 
       let urls = [];
 
@@ -35,25 +36,46 @@ module.exports = function (options = []) { // eslint-disable-line no-unused-vars
           imgCount++;
           // TODO: fix that to use the data _id or somethink similar
           let uuid = faker.fake('{{random.uuid}}');
-          const imgName = `${field}_${uuid}.jpg`;
-          const imgPath = path.resolve('public', 'uploads/' + imgName);
-          let stream = fs.createWriteStream(imgPath);
-          urls.push(imgPath);
-          stream.on('close', () => {
-            if (--loading <= 0) {
-              hook.app.debug('Download(s) finished', imgName);
-              resolve(hook);
-            } else {
-              hook.app.debug('Download finished', imgName);
+          const imgName = `${field}_${uuid}`;
+          let imgPath = path.resolve('public', 'uploads/' + imgName);
+
+          request({
+            url: hook.data[field],
+            encoding: null
+          }, (err, res, body) => {
+            if (err) {
+              hook.app.error(err);
+              reject(err);
+            }
+            try {
+              const mimeType = res.headers['content-type'];
+              if (mimeType.indexOf('image') !== 0) {
+                hook.app.error('its not an image');
+                reject('its not an image');
+              }
+
+              const ext = mime.getExtension(mimeType);
+
+              imgPath += `.${ext}`;
+
+              fs.writeFileSync(imgPath, body, {
+                encoding: 'binary'
+              });
+
+              loading--;
+
+              hook.data[field] = uploadsUrl + imgName + `.${ext}`;
+
+              if (imgCount > 0 && loading <= 0) {
+                hook.app.debug('Download(s) finished', urls);
+                resolve(hook);
+              }
+            } catch (err) {
+              hook.app.error(err);
             }
           });
-          stream.on('error', (err) => {
-            // reject(err);
-            throw new errors.Unprocessable('Thumbnail download failed', { errors: err, urls: urls });
-          });
+
           hook.app.debug('Downloading', hook.data[field]);
-          request(hook.data[field]).pipe(stream);
-          hook.data[field] = uploadsUrl + imgName;
         });
 
         if (imgCount > 0 && loading <= 0) {

yarn.lock

@@ -3143,6 +3143,10 @@ [email protected]:
   version "1.4.1"
   resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.1.tgz#121f9ebc49e3766f311a76e1fa1c8003c4b03aa6"
 
+mime@^2.2.0:
+  version "2.2.0"
+  resolved "https://registry.yarnpkg.com/mime/-/mime-2.2.0.tgz#161e541965551d3b549fa1114391e3a3d55b923b"
+
 mimer@^0.2.1:
   version "0.2.3"
   resolved "https://registry.yarnpkg.com/mimer/-/mimer-0.2.3.tgz#8808c0d03fb2b1273b81ae25a6e52e04ce18dce4"