2024-04-10 12:35:35 +02:00
|
|
|
import { stat } from 'fs-extra';
|
|
|
|
import { extname } from 'path';
|
2024-04-03 19:57:52 +02:00
|
|
|
|
|
|
|
|
2024-04-10 12:35:35 +02:00
|
|
|
const isSafeToOpen = async (path: string) => {
|
2024-04-03 19:57:52 +02:00
|
|
|
// This is intended to fix an issue where some platforms would execute attachment
|
|
|
|
// files without confirmation depending on the file extension (e.g. .EXE). This is
|
|
|
|
// mostly for Windows.
|
|
|
|
//
|
|
|
|
// Below is a list of extensions that we should be able to safely pass to shell.openItem
|
|
|
|
// without code execution.
|
|
|
|
|
|
|
|
// Prevent CSpell from marking file extensions as misspellings:
|
|
|
|
// cSpell:disable
|
|
|
|
const generallySafeExtensions = [
|
|
|
|
// Image files (see https://developer.mozilla.org/en-US/docs/Web/Media/Formats/Image_types)
|
|
|
|
'.apng',
|
|
|
|
'.avif',
|
|
|
|
'.bmp',
|
|
|
|
'.gif',
|
|
|
|
'.heic',
|
|
|
|
'.heics',
|
|
|
|
'.ico',
|
|
|
|
'.jpeg',
|
|
|
|
'.jpg',
|
|
|
|
'.pjp',
|
|
|
|
'.pjpeg',
|
|
|
|
'.png',
|
|
|
|
'.svg',
|
|
|
|
'.svgz',
|
|
|
|
'.webp',
|
|
|
|
'.tiff',
|
|
|
|
'.tif',
|
|
|
|
|
|
|
|
// Video files
|
|
|
|
'.3g2',
|
|
|
|
'.3gp',
|
|
|
|
'.avi',
|
|
|
|
'.divx',
|
|
|
|
'.h261',
|
|
|
|
'.h263',
|
|
|
|
'.h264',
|
|
|
|
'.jpgv',
|
|
|
|
'.m4p',
|
|
|
|
'.m4v',
|
|
|
|
'.mk3d',
|
|
|
|
'.mkv',
|
|
|
|
'.mov',
|
|
|
|
'.movie',
|
|
|
|
'.mp4',
|
|
|
|
'.mp4v',
|
|
|
|
'.mpeg',
|
|
|
|
'.mpg',
|
|
|
|
'.mpg4',
|
|
|
|
'.ogv',
|
|
|
|
'.webm',
|
|
|
|
'.wmv',
|
|
|
|
|
|
|
|
// Audio files
|
|
|
|
// https://developer.mozilla.org/en-US/docs/Web/Media/Formats/Containers#browser_compatibility
|
|
|
|
'.3gp',
|
|
|
|
'.aac',
|
|
|
|
'.flac',
|
|
|
|
'.m2a',
|
|
|
|
'.m3a',
|
|
|
|
'.m4a',
|
|
|
|
'.mp2',
|
|
|
|
'.mp3',
|
|
|
|
'.mpga',
|
|
|
|
'.oga',
|
|
|
|
'.ogg',
|
|
|
|
'.wav',
|
|
|
|
'.wma',
|
|
|
|
|
|
|
|
// Document files
|
|
|
|
'.epub',
|
|
|
|
'.pdf',
|
|
|
|
'.txt',
|
|
|
|
|
|
|
|
// By default (as of Feb 2024), Word/Excel disable macros by default, and should thus
|
|
|
|
// be reasonably safe to include here. Pay attention to these Office extensions in the future.
|
|
|
|
'.docx', // Word (no macros)
|
|
|
|
'.odp',
|
|
|
|
'.ods',
|
|
|
|
'.odt',
|
|
|
|
'.pptx', // PowerPoint (no macros)
|
|
|
|
// '.psd', // PhotoShop
|
|
|
|
// MS Word can try to convert RTF files, causing security issues: https://en.wikipedia.org/wiki/Rich_Text_Format#Security_concerns
|
|
|
|
// However, macros are disabled by default in modern Office.
|
|
|
|
// '.rtf',
|
|
|
|
'.xlsx', // Excel (no macros)
|
|
|
|
// '.xopp', // Xournal++ -- Can include LaTeX. Verify it's safe before including.
|
|
|
|
|
|
|
|
// Text files
|
|
|
|
'.c',
|
|
|
|
'.cjs',
|
|
|
|
'.cpp',
|
|
|
|
'.css',
|
|
|
|
'.csv',
|
|
|
|
'.cxx',
|
|
|
|
'.dart',
|
|
|
|
'.go',
|
|
|
|
'.h',
|
|
|
|
'.hh',
|
|
|
|
'.f', // Fortran
|
|
|
|
'.for',
|
|
|
|
'.f77',
|
|
|
|
'.f90',
|
|
|
|
'.hmm',
|
|
|
|
'.hpp',
|
|
|
|
'.hxx',
|
|
|
|
'.java',
|
|
|
|
'.json',
|
|
|
|
'.json5',
|
|
|
|
'.jsx',
|
|
|
|
'.log',
|
|
|
|
'.m',
|
|
|
|
'.md',
|
|
|
|
'.markdown',
|
|
|
|
'.mdx',
|
|
|
|
'.mjs',
|
|
|
|
'.mm',
|
|
|
|
'.patch',
|
|
|
|
'.r',
|
|
|
|
'.rmd',
|
|
|
|
'.rs', // Rust
|
|
|
|
'.sass',
|
|
|
|
'.scss',
|
|
|
|
'.sha256',
|
|
|
|
'.sha512',
|
|
|
|
'.swift',
|
|
|
|
'.tex',
|
|
|
|
'.toml',
|
|
|
|
'.ts',
|
|
|
|
'.tsv',
|
|
|
|
'.tsx',
|
|
|
|
'.xml',
|
|
|
|
'.yaml',
|
|
|
|
// .js may be set to run with Windows Script Host on some systems
|
|
|
|
// .ml: OCaml
|
|
|
|
// .py may be set to run with the system Python interpreter on some systems
|
|
|
|
// .rkt: Racket
|
|
|
|
|
|
|
|
// Archives
|
|
|
|
'.7z',
|
|
|
|
'.tar.gz',
|
|
|
|
'.tar',
|
|
|
|
'.zip',
|
|
|
|
|
|
|
|
// Fonts
|
|
|
|
'.ttf',
|
|
|
|
'.woff',
|
|
|
|
'.otf',
|
|
|
|
|
|
|
|
// Calendar
|
|
|
|
'.ics',
|
|
|
|
'.ical',
|
|
|
|
'.icalendar',
|
|
|
|
|
|
|
|
// Joplin
|
|
|
|
'.jex',
|
|
|
|
// '.jpl', // Plugin files
|
|
|
|
|
|
|
|
// Other
|
|
|
|
'.htm',
|
|
|
|
'.html',
|
|
|
|
'.enex', // Evernote
|
|
|
|
// '.desktop', // May be auto-executed on some Linux systems
|
|
|
|
];
|
|
|
|
// cSpell:enable
|
|
|
|
|
|
|
|
const lowercasedPath = path.trim().toLowerCase();
|
|
|
|
for (const ext of generallySafeExtensions) {
|
|
|
|
if (lowercasedPath.endsWith(ext)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
2024-04-10 12:35:35 +02:00
|
|
|
|
|
|
|
if (extname(path) === '' && (await stat(path)).isDirectory()) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2024-04-03 19:57:52 +02:00
|
|
|
return false;
|
|
|
|
};
|
|
|
|
|
|
|
|
export default isSafeToOpen;
|