verify that the uploaded modified file is temporary

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trilium",
-  "version": "0.63.3",
+  "version": "0.63.5",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "trilium",
-      "version": "0.63.3",
+      "version": "0.63.5",
       "hasInstallScript": true,
       "license": "AGPL-3.0-only",
       "dependencies": {

src/routes/api/files.js

@@ -154,12 +154,16 @@ function saveAttachmentToTmpDir(req) {
     return saveToTmpDir(fileName, content, 'attachments', attachment.attachmentId);
 }
 
+const createdTemporaryFiles = new Set();
+
 function saveToTmpDir(fileName, content, entityType, entityId) {
     const tmpObj = tmp.fileSync({ postfix: fileName });
 
     fs.writeSync(tmpObj.fd, content);
     fs.closeSync(tmpObj.fd);
 
+    createdTemporaryFiles.add(tmpObj.name);
+
     log.info(`Saved temporary file ${tmpObj.name}`);
 
     if (utils.isElectron()) {
@@ -183,6 +187,10 @@ function uploadModifiedFileToNote(req) {
     const noteId = req.params.noteId;
     const {filePath} = req.body;
 
+    if (!createdTemporaryFiles.has(filePath)) {
+        throw new ValidationError(`File '${filePath}' is not a temporary file.`);
+    }
+
     const note = becca.getNoteOrThrow(noteId);
 
     log.info(`Updating note '${noteId}' with content from '${filePath}'`);