diff options
author | Kristóf Marussy <kristof@marussy.com> | 2022-07-10 22:47:27 +0100 |
---|---|---|
committer | André Oliveira <oliveira.andrerodrigues95@gmail.com> | 2022-07-10 23:03:28 +0100 |
commit | 03b87704f6a15d260a7b87ac528c2541b7dd9678 (patch) | |
tree | 017e24f5dc0dfa478ea9fca1ee88fee1803dfba0 | |
parent | Add HTTPOnly and SameSite and fix filename export (diff) | |
download | ferdium-server-03b87704f6a15d260a7b87ac528c2541b7dd9678.tar.gz ferdium-server-03b87704f6a15d260a7b87ac528c2541b7dd9678.tar.zst ferdium-server-03b87704f6a15d260a7b87ac528c2541b7dd9678.zip |
Update dependencies and fix local server directory traversal
-rw-r--r-- | .nvmrc | 2 | ||||
-rw-r--r-- | CONTRIBUTING.md | 4 | ||||
-rw-r--r-- | Dockerfile | 4 | ||||
-rw-r--r-- | app/Controllers/Http/ServiceController.js | 16 | ||||
-rw-r--r-- | package-lock.json | 47 | ||||
-rw-r--r-- | package.json | 5 |
6 files changed, 67 insertions, 11 deletions
@@ -1 +1 @@ | |||
16.15.0 | 16.15.1 | ||
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index b4643de..c8402a8 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md | |||
@@ -49,8 +49,8 @@ Currently, these are the combinations of system dependencies that work for MacOS | |||
49 | ```bash | 49 | ```bash |
50 | $ jq --null-input '[inputs.engines] | add' < ./package.json < ./recipes/package.json | 50 | $ jq --null-input '[inputs.engines] | add' < ./package.json < ./recipes/package.json |
51 | { | 51 | { |
52 | "node": "16.15.0", | 52 | "node": "16.15.1", |
53 | "npm": "8.7.0", | 53 | "npm": "8.13.2", |
54 | "pnpm": "7.0.1" | 54 | "pnpm": "7.0.1" |
55 | } | 55 | } |
56 | ``` | 56 | ``` |
@@ -1,4 +1,4 @@ | |||
1 | FROM node:16.15.0-alpine as build | 1 | FROM node:16.15.1-alpine as build |
2 | 2 | ||
3 | WORKDIR /server-build | 3 | WORKDIR /server-build |
4 | 4 | ||
@@ -11,7 +11,7 @@ RUN NPM_VERSION=$(node -p 'require("./package.json").engines.npm'); npm i -g npm | |||
11 | RUN npm ci --build-from-source --sqlite=/usr/local | 11 | RUN npm ci --build-from-source --sqlite=/usr/local |
12 | 12 | ||
13 | # ---- RUNTIME IMAGE ---------------------------------------------------------- | 13 | # ---- RUNTIME IMAGE ---------------------------------------------------------- |
14 | FROM node:16.15.0-alpine | 14 | FROM node:16.15.1-alpine |
15 | 15 | ||
16 | WORKDIR /app | 16 | WORKDIR /app |
17 | LABEL maintainer="ferdium" | 17 | LABEL maintainer="ferdium" |
diff --git a/app/Controllers/Http/ServiceController.js b/app/Controllers/Http/ServiceController.js index 3d10cb4..1be0484 100644 --- a/app/Controllers/Http/ServiceController.js +++ b/app/Controllers/Http/ServiceController.js | |||
@@ -6,6 +6,7 @@ const Helpers = use('Helpers'); | |||
6 | const { v4: uuid } = require('uuid'); | 6 | const { v4: uuid } = require('uuid'); |
7 | const path = require('path'); | 7 | const path = require('path'); |
8 | const fs = require('fs-extra'); | 8 | const fs = require('fs-extra'); |
9 | const sanitize = require('sanitize-filename'); | ||
9 | 10 | ||
10 | class ServiceController { | 11 | class ServiceController { |
11 | // Create a new service for user | 12 | // Create a new service for user |
@@ -231,10 +232,21 @@ class ServiceController { | |||
231 | } | 232 | } |
232 | 233 | ||
233 | async icon({ params, response }) { | 234 | async icon({ params, response }) { |
234 | const { id } = params; | 235 | let { id } = params; |
236 | |||
237 | id = sanitize(id); | ||
238 | if (id === '') { | ||
239 | return response.status(404).send({ | ||
240 | status: "Icon doesn't exist", | ||
241 | }); | ||
242 | } | ||
235 | 243 | ||
236 | const iconPath = path.join(Helpers.tmpPath('uploads'), id); | 244 | const iconPath = path.join(Helpers.tmpPath('uploads'), id); |
237 | if (!(await fs.exists(iconPath))) { | 245 | |
246 | try { | ||
247 | await fs.access(iconPath); | ||
248 | } catch { | ||
249 | // File not available. | ||
238 | return response.status(404).send({ | 250 | return response.status(404).send({ |
239 | status: "Icon doesn't exist", | 251 | status: "Icon doesn't exist", |
240 | }); | 252 | }); |
diff --git a/package-lock.json b/package-lock.json index 6937f05..3cbb97e 100644 --- a/package-lock.json +++ b/package-lock.json | |||
@@ -30,6 +30,7 @@ | |||
30 | "mysql": "2.18.1", | 30 | "mysql": "2.18.1", |
31 | "node-fetch": "^2.6.7", | 31 | "node-fetch": "^2.6.7", |
32 | "pg": "^8.0.3", | 32 | "pg": "^8.0.3", |
33 | "sanitize-filename": "1.6.3", | ||
33 | "semver": "7.3.5", | 34 | "semver": "7.3.5", |
34 | "sqlite3": "^4.1.0", | 35 | "sqlite3": "^4.1.0", |
35 | "targz": "^1.0.1", | 36 | "targz": "^1.0.1", |
@@ -45,8 +46,8 @@ | |||
45 | "prettier": "2.3.2" | 46 | "prettier": "2.3.2" |
46 | }, | 47 | }, |
47 | "engines": { | 48 | "engines": { |
48 | "node": "16.15.0", | 49 | "node": "16.15.1", |
49 | "npm": "8.7.0" | 50 | "npm": "8.13.2" |
50 | } | 51 | } |
51 | }, | 52 | }, |
52 | "node_modules/@adonisjs/ace": { | 53 | "node_modules/@adonisjs/ace": { |
@@ -8214,6 +8215,14 @@ | |||
8214 | "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", | 8215 | "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", |
8215 | "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" | 8216 | "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" |
8216 | }, | 8217 | }, |
8218 | "node_modules/sanitize-filename": { | ||
8219 | "version": "1.6.3", | ||
8220 | "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz", | ||
8221 | "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==", | ||
8222 | "dependencies": { | ||
8223 | "truncate-utf8-bytes": "^1.0.0" | ||
8224 | } | ||
8225 | }, | ||
8217 | "node_modules/sax": { | 8226 | "node_modules/sax": { |
8218 | "version": "1.2.4", | 8227 | "version": "1.2.4", |
8219 | "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz", | 8228 | "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz", |
@@ -9479,6 +9488,14 @@ | |||
9479 | "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz", | 9488 | "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz", |
9480 | "integrity": "sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw==" | 9489 | "integrity": "sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw==" |
9481 | }, | 9490 | }, |
9491 | "node_modules/truncate-utf8-bytes": { | ||
9492 | "version": "1.0.2", | ||
9493 | "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz", | ||
9494 | "integrity": "sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ==", | ||
9495 | "dependencies": { | ||
9496 | "utf8-byte-length": "^1.0.1" | ||
9497 | } | ||
9498 | }, | ||
9482 | "node_modules/tsconfig-paths": { | 9499 | "node_modules/tsconfig-paths": { |
9483 | "version": "3.14.1", | 9500 | "version": "3.14.1", |
9484 | "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz", | 9501 | "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz", |
@@ -9774,6 +9791,11 @@ | |||
9774 | "resolved": "https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz", | 9791 | "resolved": "https://registry.npmjs.org/yallist/-/yallist-2.1.2.tgz", |
9775 | "integrity": "sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=" | 9792 | "integrity": "sha1-HBH5IY8HYImkfdUS+TxmmaaoHVI=" |
9776 | }, | 9793 | }, |
9794 | "node_modules/utf8-byte-length": { | ||
9795 | "version": "1.0.4", | ||
9796 | "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz", | ||
9797 | "integrity": "sha512-4+wkEYLBbWxqTahEsWrhxepcoVOJ+1z5PGIjPZxRkytcdSUaNjIjBM7Xn8E+pdSuV7SzvWovBFA54FO0JSoqhA==" | ||
9798 | }, | ||
9777 | "node_modules/util-deprecate": { | 9799 | "node_modules/util-deprecate": { |
9778 | "version": "1.0.2", | 9800 | "version": "1.0.2", |
9779 | "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", | 9801 | "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", |
@@ -16621,6 +16643,14 @@ | |||
16621 | "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", | 16643 | "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", |
16622 | "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" | 16644 | "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" |
16623 | }, | 16645 | }, |
16646 | "sanitize-filename": { | ||
16647 | "version": "1.6.3", | ||
16648 | "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz", | ||
16649 | "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==", | ||
16650 | "requires": { | ||
16651 | "truncate-utf8-bytes": "^1.0.0" | ||
16652 | } | ||
16653 | }, | ||
16624 | "sax": { | 16654 | "sax": { |
16625 | "version": "1.2.4", | 16655 | "version": "1.2.4", |
16626 | "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz", | 16656 | "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.4.tgz", |
@@ -17622,6 +17652,14 @@ | |||
17622 | "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz", | 17652 | "resolved": "https://registry.npmjs.org/triple-beam/-/triple-beam-1.3.0.tgz", |
17623 | "integrity": "sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw==" | 17653 | "integrity": "sha512-XrHUvV5HpdLmIj4uVMxHggLbFSZYIn7HEWsqePZcI50pco+MPqJ50wMGY794X7AOOhxOBAjbkqfAbEe/QMp2Lw==" |
17624 | }, | 17654 | }, |
17655 | "truncate-utf8-bytes": { | ||
17656 | "version": "1.0.2", | ||
17657 | "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz", | ||
17658 | "integrity": "sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ==", | ||
17659 | "requires": { | ||
17660 | "utf8-byte-length": "^1.0.1" | ||
17661 | } | ||
17662 | }, | ||
17625 | "tsconfig-paths": { | 17663 | "tsconfig-paths": { |
17626 | "version": "3.14.1", | 17664 | "version": "3.14.1", |
17627 | "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz", | 17665 | "resolved": "https://registry.npmjs.org/tsconfig-paths/-/tsconfig-paths-3.14.1.tgz", |
@@ -17860,6 +17898,11 @@ | |||
17860 | } | 17898 | } |
17861 | } | 17899 | } |
17862 | }, | 17900 | }, |
17901 | "utf8-byte-length": { | ||
17902 | "version": "1.0.4", | ||
17903 | "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz", | ||
17904 | "integrity": "sha512-4+wkEYLBbWxqTahEsWrhxepcoVOJ+1z5PGIjPZxRkytcdSUaNjIjBM7Xn8E+pdSuV7SzvWovBFA54FO0JSoqhA==" | ||
17905 | }, | ||
17863 | "util-deprecate": { | 17906 | "util-deprecate": { |
17864 | "version": "1.0.2", | 17907 | "version": "1.0.2", |
17865 | "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", | 17908 | "resolved": "https://registry.npmjs.org/util-deprecate/-/util-deprecate-1.0.2.tgz", |
diff --git a/package.json b/package.json index 32970d9..4902a4d 100644 --- a/package.json +++ b/package.json | |||
@@ -5,8 +5,8 @@ | |||
5 | "description": "Ferdium server to replace the default Franz/Ferdi server.", | 5 | "description": "Ferdium server to replace the default Franz/Ferdi server.", |
6 | "main": "index.js", | 6 | "main": "index.js", |
7 | "engines": { | 7 | "engines": { |
8 | "node": "16.15.0", | 8 | "node": "16.15.1", |
9 | "npm": "8.7.0" | 9 | "npm": "8.13.2" |
10 | }, | 10 | }, |
11 | "scripts": { | 11 | "scripts": { |
12 | "prepare": "is-ci || husky install", | 12 | "prepare": "is-ci || husky install", |
@@ -45,6 +45,7 @@ | |||
45 | "mysql": "2.18.1", | 45 | "mysql": "2.18.1", |
46 | "node-fetch": "^2.6.7", | 46 | "node-fetch": "^2.6.7", |
47 | "pg": "^8.0.3", | 47 | "pg": "^8.0.3", |
48 | "sanitize-filename": "1.6.3", | ||
48 | "semver": "7.3.5", | 49 | "semver": "7.3.5", |
49 | "sqlite3": "^4.1.0", | 50 | "sqlite3": "^4.1.0", |
50 | "targz": "^1.0.1", | 51 | "targz": "^1.0.1", |