From cda3a10dc2ad68d2ca54f0a9a7081bc14e45655e Mon Sep 17 00:00:00 2001
From: Daniel Nitsikopoulos <daniel@dnitza.com>
Date: Sat, 11 Feb 2023 15:45:00 +1100
Subject: [PATCH] Only allow images to be uploaded

---
 app/commands/media/upload.rb | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/app/commands/media/upload.rb b/app/commands/media/upload.rb
index 8e142a3..b2a3ba6 100644
--- a/app/commands/media/upload.rb
+++ b/app/commands/media/upload.rb
@@ -2,6 +2,7 @@
 
 require "securerandom"
 require "dry/monads"
+require "filemagic"
 
 module Adamantium
   module Commands
@@ -10,7 +11,15 @@ module Adamantium
         include Deps["settings"]
         include Dry::Monads[:result]
 
+        VALID_UPLOAD_TYPES = %i[jpeg jpg png gif]
+
         def call(file:)
+          mime = FileMagic.new
+
+          type = mime.file(file[:tempfile].path, true)
+
+          return Failure(:invalid_file_type) unless VALID_UPLOAD_TYPES.include? type.to_sym
+
           pathname = Time.now.strftime("%m-%Y")
 
           filename = "#{SecureRandom.uuid}#{File.extname(file[:filename])}"