From e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Sun, 14 Jan 2024 16:53:44 -0800 Subject: [PATCH] Normalize pfp path to prevent traversal --- server/endpoints/system.js | 5 +++-- server/utils/files/pfp.js | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/server/endpoints/system.js b/server/endpoints/system.js index 6d985065..39b77a6a 100644 --- a/server/endpoints/system.js +++ b/server/endpoints/system.js @@ -502,7 +502,8 @@ function systemEndpoints(app) { } const userRecord = await User.get({ id: user.id }); - const oldPfpFilename = userRecord.pfpFilename; + const oldPfpFilename = normalizePath(userRecord.pfpFilename); + console.log("oldPfpFilename", oldPfpFilename); if (oldPfpFilename) { const oldPfpPath = path.join( @@ -536,7 +537,7 @@ function systemEndpoints(app) { try { const user = await userFromSession(request, response); const userRecord = await User.get({ id: user.id }); - const oldPfpFilename = userRecord.pfpFilename; + const oldPfpFilename = normalizePath(userRecord.pfpFilename); console.log("oldPfpFilename", oldPfpFilename); if (oldPfpFilename) { const oldPfpPath = path.join( diff --git a/server/utils/files/pfp.js b/server/utils/files/pfp.js index 943aa595..dd6ba0fe 100644 --- a/server/utils/files/pfp.js +++ b/server/utils/files/pfp.js @@ -2,6 +2,7 @@ const path = require("path"); const fs = require("fs"); const { getType } = require("mime"); const { User } = require("../../models/user"); +const { normalizePath } = require("."); function fetchPfp(pfpPath) { if (!fs.existsSync(pfpPath)) { @@ -32,8 +33,7 @@ async function determinePfpFilepath(id) { const basePath = process.env.STORAGE_DIR ? path.join(process.env.STORAGE_DIR, "assets/pfp") : path.join(__dirname, "../../storage/assets/pfp"); - const pfpFilepath = path.join(basePath, pfpFilename); - + const pfpFilepath = path.join(basePath, normalizePath(pfpFilename)); if (!fs.existsSync(pfpFilepath)) return null; return pfpFilepath; }