Fix file upload XSS

The application image file upload allowed authenticated users to upload
malious .html files. Opening such a file like

https://push.gotify.net/image/ViaxrjzNowdgL-xnEfVV-Ggv5.html

would allow the attacker to execute client side scripts.

The application image upload will now only allow the upload of files
with the following extensions: .gif, .png, .jpg and .jpeg.

api/application.go

@@ -329,6 +329,14 @@ func (a *ApplicationAPI) UploadApplicationImage(ctx *gin.Context) {
 
 			ext := filepath.Ext(file.Filename)
 
+			switch ext {
+			case ".gif", ".png", ".jpg", ".jpeg":
+				// ok
+			default:
+				ctx.AbortWithError(400, errors.New("invalid file extension"))
+				return
+			}
+
 			name := generateNonExistingImageName(a.ImageDir, func() string {
 				return generateImageName() + ext
 			})

api/application_test.go

@@ -398,6 +398,22 @@ func (s *ApplicationSuite) Test_UploadAppImage_WithTextFile_expectBadRequest() {
 	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("file must be an image"))
 }
 
+func (s *ApplicationSuite) Test_UploadAppImage_WithHtmlFileHavingImageHeader() {
+	s.db.User(5).App(1)
+
+	cType, buffer, err := upload(map[string]*os.File{"file": mustOpen("../test/assets/image-header-with.html")})
+	assert.Nil(s.T(), err)
+	s.ctx.Request = httptest.NewRequest("POST", "/irrelevant", &buffer)
+	s.ctx.Request.Header.Set("Content-Type", cType)
+	test.WithUser(s.ctx, 5)
+	s.ctx.Params = gin.Params{{Key: "id", Value: "1"}}
+
+	s.a.UploadApplicationImage(s.ctx)
+
+	assert.Equal(s.T(), 400, s.recorder.Code)
+	assert.Equal(s.T(), s.ctx.Errors[0].Err, errors.New("invalid file extension"))
+}
+
 func (s *ApplicationSuite) Test_UploadAppImage_expectNotFound() {
 	s.db.User(5)