fix: validate texture asset names server-side

lib/parse-upload.ts

@@ -1,7 +1,8 @@
 import { extname } from 'path'
 import { NextRequest } from 'next/server'
 import { sanitizeFilename } from './sanitize'
-import { ALL_ALLOWED_EXTENSIONS, MODEL_EXTENSIONS, MAX_FILE_SIZE } from './constants'
+import { ALL_ALLOWED_EXTENSIONS, MODEL_EXTENSIONS, MAX_FILE_SIZE, TEXTURE_EXTENSIONS } from './constants'
+import { getTextureNamingError } from './asset-naming'
 import type { ParsedFile } from './types'
 
 interface ParsedUpload {
@@ -48,10 +49,10 @@ export async function parseMultiUpload(req: NextRequest): Promise<ParsedUpload>
     const texName = textureNames[i] || ''
 
     const originalSafe = sanitizeFilename(file.name)
-    const ext = extname(originalSafe).toLowerCase()
+    const originalExt = extname(originalSafe).toLowerCase()
 
-    if (!ALL_ALLOWED_EXTENSIONS.has(ext)) {
-      throw new Error(`Extension non autorisee: "${ext}"`)
+    if (!ALL_ALLOWED_EXTENSIONS.has(originalExt)) {
+      throw new Error(`Extension non autorisee: "${originalExt}"`)
     }
 
     let filename: string
@@ -61,7 +62,20 @@ export async function parseMultiUpload(req: NextRequest): Promise<ParsedUpload>
       filename = originalSafe
     }
 
-    const isModel = MODEL_EXTENSIONS.has(ext)
+    const filenameExt = extname(filename).toLowerCase()
+    if (filenameExt !== originalExt) {
+      throw new Error(`Nom de fichier incoherent : ${filename} ne correspond pas a l'extension originale ${originalExt}`)
+    }
+
+    const textureNamingError = TEXTURE_EXTENSIONS.has(filenameExt)
+      ? getTextureNamingError(filename)
+      : null
+
+    if (textureNamingError) {
+      throw new Error(textureNamingError)
+    }
+
+    const isModel = MODEL_EXTENSIONS.has(filenameExt)
     if (isModel) {
       if (filename.toLowerCase() !== 'model.gltf') {
         throw new Error('Le modele doit etre nomme model.gltf')