From fa1a7037b47f2e0114d8abc5a99d29239bd3637b Mon Sep 17 00:00:00 2001
From: Kristóf Marussy <kristof@marussy.com>
Date: Sun, 10 Jul 2022 16:07:45 +0200
Subject: refactor: local server import/export
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Kristóf Marussy <kristof@marussy.com>
---
 .../app/Controllers/Http/ImageController.js              | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'src/internal-server/app/Controllers')

diff --git a/src/internal-server/app/Controllers/Http/ImageController.js b/src/internal-server/app/Controllers/Http/ImageController.js
index 9b11783c7..731f181e0 100644
--- a/src/internal-server/app/Controllers/Http/ImageController.js
+++ b/src/internal-server/app/Controllers/Http/ImageController.js
@@ -2,13 +2,25 @@ const Env = use('Env');
 
 const path = require('path');
 const fs = require('fs-extra');
+const sanitize = require('sanitize-filename');
 
 class ImageController {
   async icon({ params, response }) {
-    const { id } = params;
+    let { id } = params;
+
+    id = sanitize(id);
+    if (id === '') {
+      return response.status(404).send({
+        status: "Icon doesn't exist",
+      });
+    }
 
     const iconPath = path.join(Env.get('USER_PATH'), 'icons', id);
-    if (!fs.existsSync(iconPath)) {
+
+    try {
+      await fs.access(iconPath);
+    } catch {
+      // File not available.
       return response.status(404).send({
         status: "Icon doesn't exist",
       });
-- 
cgit v1.2.3-54-g00ecf