diff options
author | Kristóf Marussy <kristof@marussy.com> | 2022-07-10 22:47:27 +0100 |
---|---|---|
committer | André Oliveira <oliveira.andrerodrigues95@gmail.com> | 2022-07-10 23:03:28 +0100 |
commit | 03b87704f6a15d260a7b87ac528c2541b7dd9678 (patch) | |
tree | 017e24f5dc0dfa478ea9fca1ee88fee1803dfba0 /app | |
parent | Add HTTPOnly and SameSite and fix filename export (diff) | |
download | ferdium-server-03b87704f6a15d260a7b87ac528c2541b7dd9678.tar.gz ferdium-server-03b87704f6a15d260a7b87ac528c2541b7dd9678.tar.zst ferdium-server-03b87704f6a15d260a7b87ac528c2541b7dd9678.zip |
Update dependencies and fix local server directory traversal
Diffstat (limited to 'app')
-rw-r--r-- | app/Controllers/Http/ServiceController.js | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/app/Controllers/Http/ServiceController.js b/app/Controllers/Http/ServiceController.js index 3d10cb4..1be0484 100644 --- a/app/Controllers/Http/ServiceController.js +++ b/app/Controllers/Http/ServiceController.js | |||
@@ -6,6 +6,7 @@ const Helpers = use('Helpers'); | |||
6 | const { v4: uuid } = require('uuid'); | 6 | const { v4: uuid } = require('uuid'); |
7 | const path = require('path'); | 7 | const path = require('path'); |
8 | const fs = require('fs-extra'); | 8 | const fs = require('fs-extra'); |
9 | const sanitize = require('sanitize-filename'); | ||
9 | 10 | ||
10 | class ServiceController { | 11 | class ServiceController { |
11 | // Create a new service for user | 12 | // Create a new service for user |
@@ -231,10 +232,21 @@ class ServiceController { | |||
231 | } | 232 | } |
232 | 233 | ||
233 | async icon({ params, response }) { | 234 | async icon({ params, response }) { |
234 | const { id } = params; | 235 | let { id } = params; |
236 | |||
237 | id = sanitize(id); | ||
238 | if (id === '') { | ||
239 | return response.status(404).send({ | ||
240 | status: "Icon doesn't exist", | ||
241 | }); | ||
242 | } | ||
235 | 243 | ||
236 | const iconPath = path.join(Helpers.tmpPath('uploads'), id); | 244 | const iconPath = path.join(Helpers.tmpPath('uploads'), id); |
237 | if (!(await fs.exists(iconPath))) { | 245 | |
246 | try { | ||
247 | await fs.access(iconPath); | ||
248 | } catch { | ||
249 | // File not available. | ||
238 | return response.status(404).send({ | 250 | return response.status(404).send({ |
239 | status: "Icon doesn't exist", | 251 | status: "Icon doesn't exist", |
240 | }); | 252 | }); |