enforce filetypes

backend/api/index.php

@@ -666,6 +666,14 @@ function handleDocuments($method, $id, $db) {
 function handleAttachments($method, $id, $db) {
     $username = $_SESSION['neptune_username'] ?? 'Unknown';
     $uploadDir = '/var/www/uploads/';
+    $allowedExtensions = ['pdf', 'md', 'txt', 'xlsx', 'csv', 'pptx', 'evidence'];
+    $allowedMimes = [
+        'application/pdf',
+        'text/markdown', 'text/x-markdown', 'text/plain',
+        'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+        'text/csv', 'application/csv',
+        'application/vnd.openxmlformats-officedocument.presentationml.presentation',
+    ];
 
     switch ($method) {
         case 'GET':
@@ -693,7 +701,22 @@ function handleAttachments($method, $id, $db) {
                 return;
             }
             $file = $_FILES['file'];
-            $ext = pathinfo($file['name'], PATHINFO_EXTENSION);
+            $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
+
+            if (!in_array($ext, $allowedExtensions)) {
+                http_response_code(400);
+                echo json_encode(['error' => 'File type not allowed. Allowed: ' . implode(', ', $allowedExtensions)]);
+                return;
+            }
+
+            $mime = $file['type'] ?: '';
+            $mimeAllowed = empty($mime) || in_array($mime, $allowedMimes);
+            if (!$mimeAllowed && $ext !== 'evidence') {
+                http_response_code(400);
+                echo json_encode(['error' => 'Invalid file content']);
+                return;
+            }
+
             $storedName = uniqid('att_', true) . '.' . $ext;
             $dest = $uploadDir . $storedName;
 

frontend/assets/js/app.js

@@ -167,11 +167,24 @@ function initApp() {
         document.getElementById('opacityVal').textContent = parseFloat(e.target.value).toFixed(2);
     });
 
-    document.getElementById('eventFileInput').addEventListener('change', (e) => {
+    const ALLOWED_EXTENSIONS = ['pdf', 'md', 'txt', 'docx', 'xlsx', 'csv', 'pptx', 'evidence'];
+
+document.getElementById('eventFileInput').addEventListener('change', (e) => {
         const preview = document.getElementById('eventFilePreview');
-        const files = e.target.files;
+        const files = Array.from(e.target.files);
+        const invalid = files.filter(f => {
+            const ext = f.name.split('.').pop().toLowerCase();
+            return !ALLOWED_EXTENSIONS.includes(ext);
+        });
+        if (invalid.length) {
+            preview.innerHTML = '<div class="text-danger small"><i class="fas fa-exclamation-circle me-1"></i>Invalid type(s): ' +
+                invalid.map(f => f.name).join(', ') +
+                '. Allowed: ' + ALLOWED_EXTENSIONS.join(', ') + '</div>';
+            e.target.value = '';
+            return;
+        }
         if (!files.length) { preview.innerHTML = ''; return; }
-        preview.innerHTML = Array.from(files).map(f =>
+        preview.innerHTML = files.map(f =>
             `<div class="small text-secondary"><i class="fas ${getFileIcon(f.type, f.name)} me-1"></i>${esc(f.name)} (${formatFileSize(f.size)})</div>`
         ).join('');
     });

frontend/index.html

@@ -253,7 +253,7 @@
                     </div>
                     <div class="mb-2">
                         <label class="form-label small">File Attachments</label>
-                        <input type="file" class="form-control form-control-sm" id="eventFileInput" multiple>
+                        <input type="file" class="form-control form-control-sm" id="eventFileInput" multiple accept=".pdf,.md,.txt,.docx,.xlsx,.csv,.pptx,.evidence">
                         <div id="eventFilePreview" class="mt-1"></div>
                     </div>
                 </form>