prevent exports path traversal (#233)

2024-11-16 19:30:12 +01:00 · 2023-09-11 22:07:48 +02:00 · 2023-09-11 22:07:48 +02:00 · 3c88aec034
commit 3c88aec034
parent 0fd46e10ac
2 changed files with 24 additions and 12 deletions
--- a/frontend/src/components/Modals/MangeWorkspace/Documents/index.jsx
+++ b/frontend/src/components/Modals/MangeWorkspace/Documents/index.jsx
@ -177,7 +177,8 @@ export default function DocumentSettings({ workspace }) {
        </div>
      </div>
      <div
-        className={`flex items-center ${canDelete ? "justify-between" : "justify-end"
+        className={`flex items-center ${
+          canDelete ? "justify-between" : "justify-end"
        } p-4 md:p-6 space-x-2 border-t border-gray-200 rounded-b dark:border-gray-600`}
      >
        <button
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@ -24,6 +24,7 @@ const { User } = require("../models/user");
 const { validatedRequest } = require("../utils/middleware/validatedRequest");
 const { handleImports } = setupDataImports();
 const { handleLogoUploads } = setupLogoUploads();
+const fs = require("fs");
 const path = require("path");
 const {
  getDefaultFilename,
@ -315,9 +316,21 @@ function systemEndpoints(app) {
    "/system/data-exports/:filename",
    [validatedRequest],
    (request, response) => {
-      const filePath =
-        __dirname + "/../storage/exports/" + request.params.filename;
-      response.download(filePath, request.params.filename, (err) => {
+      const exportLocation = __dirname + "/../storage/exports/";
+      const sanitized = path
+        .normalize(request.params.filename)
+        .replace(/^(\.\.(\/|\\|$))+/, "");
+      const finalDestination = path.join(exportLocation, sanitized);
+
+      if (!fs.existsSync(finalDestination)) {
+        response.status(404).json({
+          error: 404,
+          msg: `File ${request.params.filename} does not exist in exports.`,
+        });
+        return;
+      }
+
+      response.download(finalDestination, request.params.filename, (err) => {
        if (err) {
          response.send({
            error: err,
@ -448,9 +461,7 @@ function systemEndpoints(app) {
        response.status(200).json({ canDelete });
      } catch (error) {
        console.error("Error fetching can delete workspaces:", error);
-        response
-          .status(500)
-          .json({
+        response.status(500).json({
          success: false,
          message: "Internal server error",
          canDelete: false,