Add extension whitelist to company logo file name

invoice-crater · Feb 4, 2024 · f597471 · f597471
1 parent 8fce778
commit f597471
Showing 1 changed file with 39 additions and 21 deletions.
diff --git a/app/Http/Controllers/V1/Admin/Settings/CompanyController.php b/app/Http/Controllers/V1/Admin/Settings/CompanyController.php
@@ -56,41 +56,59 @@ public function updateCompany(CompanyRequest $request)
 
         return new CompanyResource($company);
     }
+/**
+ * Upload the company logo to storage.
+ *
+ * @param  \Crater\Http\Requests\CompanyLogoRequest $request
+ * @return \Illuminate\Http\JsonResponse
+ */
+public function uploadCompanyLogo(CompanyLogoRequest $request)
+{
+    $company = Company::find($request->header('company'));
+    $this->authorize('manage company', $company);
 
-    /**
-     * Upload the company logo to storage.
-     *
-     * @param  \Crater\Http\Requests\CompanyLogoRequest $request
-     * @return \Illuminate\Http\JsonResponse
-     */
-    public function uploadCompanyLogo(CompanyLogoRequest $request)
-    {
-        $company = Company::find($request->header('company'));
+    $data = json_decode($request->company_logo);
 
-        $this->authorize('manage company', $company);
+    if (isset($request->is_company_logo_removed) && (bool) $request->is_company_logo_removed) {
+        $company->clearMediaCollection('logo');
+    }
 
-        $data = json_decode($request->company_logo);
+    if ($data) {
+        $company = Company::find($request->header('company'));
 
-        if (isset($request->is_company_logo_removed) && (bool) $request->is_company_logo_removed) {
-            $company->clearMediaCollection('logo');
-        }
-        if ($data) {
-            $company = Company::find($request->header('company'));
+        if ($company) {
+            // Extract the file extension from the filename
+            $fileExtension = pathinfo($data->name, PATHINFO_EXTENSION);
 
-            if ($company) {
+            // Define an array of allowed extensions
+            $allowedExtensions = ['gif', 'png', 'jpeg'];
+
+            // Check if the file extension is allowed
+            if (in_array($fileExtension, $allowedExtensions)) {
                 $company->clearMediaCollection('logo');
 
                 $company->addMediaFromBase64($data->data)
                     ->usingFileName($data->name)
                     ->toMediaCollection('logo');
+
+                return response()->json([
+                    'success' => true,
+                ]);
+            } else {
+                // File extension is not allowed
+                return response()->json([
+                    'error' => 'Only .gif, .png, and .jpeg file extensions are allowed.',
+                ], 400); // You can set an appropriate HTTP status code for this case
             }
         }
-
-        return response()->json([
-            'success' => true,
-        ]);
     }
 
+    return response()->json([
+        'success' => true,
+    ]);
+}
+
+
     /**
      * Upload the Admin Avatar to public storage.
      *