From 03b87704f6a15d260a7b87ac528c2541b7dd9678 Mon Sep 17 00:00:00 2001
From: Kristóf Marussy <kristof@marussy.com>
Date: Sun, 10 Jul 2022 22:47:27 +0100
Subject: Update dependencies and fix local server directory traversal

---
 app/Controllers/Http/ServiceController.js | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'app/Controllers/Http')

diff --git a/app/Controllers/Http/ServiceController.js b/app/Controllers/Http/ServiceController.js
index 3d10cb4..1be0484 100644
--- a/app/Controllers/Http/ServiceController.js
+++ b/app/Controllers/Http/ServiceController.js
@@ -6,6 +6,7 @@ const Helpers = use('Helpers');
 const { v4: uuid } = require('uuid');
 const path = require('path');
 const fs = require('fs-extra');
+const sanitize = require('sanitize-filename');
 
 class ServiceController {
   // Create a new service for user
@@ -231,10 +232,21 @@ class ServiceController {
   }
 
   async icon({ params, response }) {
-    const { id } = params;
+    let { id } = params;
+
+    id = sanitize(id);
+    if (id === '') {
+      return response.status(404).send({
+        status: "Icon doesn't exist",
+      });
+    }
 
     const iconPath = path.join(Helpers.tmpPath('uploads'), id);
-    if (!(await fs.exists(iconPath))) {
+
+    try {
+      await fs.access(iconPath);
+    } catch {
+      // File not available.
       return response.status(404).send({
         status: "Icon doesn't exist",
       });
-- 
cgit v1.2.3-54-g00ecf