Update dependencies and fix local server directory traversal

6 files changed, 67 insertions, 11 deletions

diff --git a/.nvmrc b/.nvmrc
index 99cdd80..d928989 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-16.15.0
+16.15.1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b4643de..c8402a8 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -49,8 +49,8 @@ Currently, these are the combinations of system dependencies that work for MacOS
 ```bash
 $ jq --null-input '[inputs.engines] | add' < ./package.json < ./recipes/package.json
 {
-  "node": "16.15.0",
-  "npm": "8.7.0",
+  "node": "16.15.1",
+  "npm": "8.13.2",
   "pnpm": "7.0.1"
 }
 ```
diff --git a/Dockerfile b/Dockerfile
index dc032fe..e270d16 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:16.15.0-alpine as build
+FROM node:16.15.1-alpine as build
 
 WORKDIR /server-build
 
@@ -11,7 +11,7 @@ RUN NPM_VERSION=$(node -p 'require("./package.json").engines.npm'); npm i -g npm
 RUN npm ci --build-from-source --sqlite=/usr/local
 
 # ---- RUNTIME IMAGE ----------------------------------------------------------
-FROM node:16.15.0-alpine
+FROM node:16.15.1-alpine
 
 WORKDIR /app
 LABEL maintainer="ferdium"
diff --git a/app/Controllers/Http/ServiceController.js b/app/Controllers/Http/ServiceController.js
index 3d10cb4..1be0484 100644
--- a/app/Controllers/Http/ServiceController.js
+++ b/app/Controllers/Http/ServiceController.js
@@ -6,6 +6,7 @@ const Helpers = use('Helpers');
 const { v4: uuid } = require('uuid');
 const path = require('path');
 const fs = require('fs-extra');
+const sanitize = require('sanitize-filename');
 
 class ServiceController {
   // Create a new service for user
@@ -231,10 +232,21 @@ class ServiceController {
   }
 
   async icon({ params, response }) {
-    const { id } = params;
+    let { id } = params;
+
+    id = sanitize(id);
+    if (id === '') {
+      return response.status(404).send({
+        status: "Icon doesn't exist",
+      });
+    }
 
     const iconPath = path.join(Helpers.tmpPath('uploads'), id);
-    if (!(await fs.exists(iconPath))) {
+
+    try {
+      await fs.access(iconPath);
+    } catch {
+      // File not available.
       return response.status(404).send({
         status: "Icon doesn't exist",
       });
diff --git a/package-lock.json b/package-lock.json
index 6937f05..3cbb97e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -30,6 +30,7 @@
         "mysql": "2.18.1",
         "node-fetch": "^2.6.7",
         "pg": "^8.0.3",
+        "sanitize-filename": "1.6.3",
         "semver": "7.3.5",
         "sqlite3": "^4.1.0",
         "targz": "^1.0.1",
@@ -45,8 +46,8 @@
         "prettier": "2.3.2"
       },
       "engines": {
-        "node": "16.15.0",
-        "npm": "8.7.0"
+        "node": "16.15.1",
+        "npm": "8.13.2"
       }
     },
     "node_modules/@adonisjs/ace": {
@@ -8214,6 +8215,14 @@
       "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
       "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
     },
+    "node_modules/sanitize-filename": {
+      "version": "1.6.3",
+      "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz",
+      "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==",
+      "dependencies": {
+        "truncate-utf8-bytes": "^1.0.0"
+      }
+    },
     "node_modules/sax": {
       "version": "1.2.4",
       "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
@@ -9479,6 +9488,14 @@
       "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz",
       "integrity": "sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw=="
     },
+    "node_modules/truncate-utf8-bytes": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz",
+      "integrity": "sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ==",
+      "dependencies": {
+        "utf8-byte-length": "^1.0.1"
+      }
+    },
     "node_modules/tsconfig-paths": {
       "version": "3.14.1",
       "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz",
@@ -9774,6 +9791,11 @@
       "resolved": "https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz",
       "integrity": "sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI="
     },
+    "node_modules/utf8-byte-length": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz",
+      "integrity": "sha512-4+wkEYLBbWxqTahEsWrhxepcoVOJ+1z5PGIjPZxRkytcdSUaNjIjBM7Xn8E+pdSuV7SzvWovBFA54FO0JSoqhA=="
+    },
     "node_modules/util-deprecate": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
@@ -16621,6 +16643,14 @@
       "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
       "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
     },
+    "sanitize-filename": {
+      "version": "1.6.3",
+      "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz",
+      "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==",
+      "requires": {
+        "truncate-utf8-bytes": "^1.0.0"
+      }
+    },
     "sax": {
       "version": "1.2.4",
       "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz",
@@ -17622,6 +17652,14 @@
       "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz",
       "integrity": "sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw=="
     },
+    "truncate-utf8-bytes": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz",
+      "integrity": "sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ==",
+      "requires": {
+        "utf8-byte-length": "^1.0.1"
+      }
+    },
     "tsconfig-paths": {
       "version": "3.14.1",
       "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz",
@@ -17860,6 +17898,11 @@
         }
       }
     },
+    "utf8-byte-length": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz",
+      "integrity": "sha512-4+wkEYLBbWxqTahEsWrhxepcoVOJ+1z5PGIjPZxRkytcdSUaNjIjBM7Xn8E+pdSuV7SzvWovBFA54FO0JSoqhA=="
+    },
     "util-deprecate": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz",
diff --git a/package.json b/package.json
index 32970d9..4902a4d 100644
--- a/package.json
+++ b/package.json
@@ -5,8 +5,8 @@
   "description": "Ferdium server to replace the default Franz/Ferdi server.",
   "main": "index.js",
   "engines": {
-    "node": "16.15.0",
-    "npm": "8.7.0"
+    "node": "16.15.1",
+    "npm": "8.13.2"
   },
   "scripts": {
     "prepare": "is-ci || husky install",
@@ -45,6 +45,7 @@
     "mysql": "2.18.1",
     "node-fetch": "^2.6.7",
     "pg": "^8.0.3",
+    "sanitize-filename": "1.6.3",
     "semver": "7.3.5",
     "sqlite3": "^4.1.0",
     "targz": "^1.0.1",