fix: add some file sanitization

bigbluebutton-html5/imports/ui/components/video-preview/virtual-background/component.jsx

@@ -76,6 +76,8 @@ const intlMessages = defineMessages({
   }, {})
 });
 
+const MAX_FILE_SIZE = 5000;
+
 const VirtualBgSelector = ({
   intl,
   handleVirtualBgSelected,
@@ -159,7 +161,11 @@ const VirtualBgSelector = ({
 
   const handleCustomBgChange = (event) => {
     const file = event.target.files[0];
-    const { name: filename } = file;
+    const { name: filename, size } = file;
+    const sizeInKB = size / 1024;
+
+    if (sizeInKB > MAX_FILE_SIZE) return;
+
     const reader = new FileReader();
     const substrings = filename.split('.');
     substrings.pop();
@@ -340,6 +346,7 @@ const VirtualBgSelector = ({
                 id="customBgSelector"
                 onChange={handleCustomBgChange}
                 style={{ display: 'none' }}
+                accept="image/png, image/jpeg"
               />
               <div aria-hidden className="sr-only" id={`vr-cam-btn-custom`}>
                 {intl.formatMessage(intlMessages.customLabel)}

bigbluebutton-html5/imports/ui/components/video-provider/video-list/video-list-item/component.jsx

@@ -33,6 +33,8 @@ const intlMessages = defineMessages({
 });
 
 const VIDEO_CONTAINER_WIDTH_BOUND = 125;
+const MIME_TYPES_ALLOWED = ['image/png', 'image/jpeg'];
+const MAX_FILE_SIZE = 5000; // KBytes
 
 const VideoListItem = (props) => {
   const {
@@ -279,8 +281,10 @@ const VideoListItem = (props) => {
 
     const { files } = e.dataTransfer;
     const file = files[0];
+    const { size, type } = file;
+    const sizeInKB = size / 1024;
 
-    if (!file.type.startsWith('image')) return;
+    if (sizeInKB > MAX_FILE_SIZE || !MIME_TYPES_ALLOWED.includes(type)) return;
 
     if (Session.get('skipBackgroundDropConfirmation')) {
       return startAndSaveVirtualBackground(file);