mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2024-11-16 19:30:12 +01:00
prevent exports path traversal (#233)
This commit is contained in:
parent
0fd46e10ac
commit
3c88aec034
@ -177,7 +177,8 @@ export default function DocumentSettings({ workspace }) {
|
||||
</div>
|
||||
</div>
|
||||
<div
|
||||
className={`flex items-center ${canDelete ? "justify-between" : "justify-end"
|
||||
className={`flex items-center ${
|
||||
canDelete ? "justify-between" : "justify-end"
|
||||
} p-4 md:p-6 space-x-2 border-t border-gray-200 rounded-b dark:border-gray-600`}
|
||||
>
|
||||
<button
|
||||
|
@ -24,6 +24,7 @@ const { User } = require("../models/user");
|
||||
const { validatedRequest } = require("../utils/middleware/validatedRequest");
|
||||
const { handleImports } = setupDataImports();
|
||||
const { handleLogoUploads } = setupLogoUploads();
|
||||
const fs = require("fs");
|
||||
const path = require("path");
|
||||
const {
|
||||
getDefaultFilename,
|
||||
@ -315,9 +316,21 @@ function systemEndpoints(app) {
|
||||
"/system/data-exports/:filename",
|
||||
[validatedRequest],
|
||||
(request, response) => {
|
||||
const filePath =
|
||||
__dirname + "/../storage/exports/" + request.params.filename;
|
||||
response.download(filePath, request.params.filename, (err) => {
|
||||
const exportLocation = __dirname + "/../storage/exports/";
|
||||
const sanitized = path
|
||||
.normalize(request.params.filename)
|
||||
.replace(/^(\.\.(\/|\\|$))+/, "");
|
||||
const finalDestination = path.join(exportLocation, sanitized);
|
||||
|
||||
if (!fs.existsSync(finalDestination)) {
|
||||
response.status(404).json({
|
||||
error: 404,
|
||||
msg: `File ${request.params.filename} does not exist in exports.`,
|
||||
});
|
||||
return;
|
||||
}
|
||||
|
||||
response.download(finalDestination, request.params.filename, (err) => {
|
||||
if (err) {
|
||||
response.send({
|
||||
error: err,
|
||||
@ -448,9 +461,7 @@ function systemEndpoints(app) {
|
||||
response.status(200).json({ canDelete });
|
||||
} catch (error) {
|
||||
console.error("Error fetching can delete workspaces:", error);
|
||||
response
|
||||
.status(500)
|
||||
.json({
|
||||
response.status(500).json({
|
||||
success: false,
|
||||
message: "Internal server error",
|
||||
canDelete: false,
|
||||
|
Loading…
Reference in New Issue
Block a user