kamp/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm.git synced 2024-11-19 20:50:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Normalize pfp path to prevent traversal

Browse Source
This commit is contained in:
timothycarambat 2024-01-14 16:53:44 -08:00
parent 026849df02
commit e1dcd5ded0
2 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/endpoints/system.js
View File

@ -502,7 +502,8 @@ function systemEndpoints(app) {
} }
const userRecord = await User.get({ id: user.id }); const userRecord = await User.get({ id: user.id });
const oldPfpFilename = userRecord.pfpFilename; const oldPfpFilename = normalizePath(userRecord.pfpFilename);
console.log("oldPfpFilename", oldPfpFilename); console.log("oldPfpFilename", oldPfpFilename);
if (oldPfpFilename) { if (oldPfpFilename) {
const oldPfpPath = path.join( const oldPfpPath = path.join(
@ -536,7 +537,7 @@ function systemEndpoints(app) {
try { try {
const user = await userFromSession(request, response); const user = await userFromSession(request, response);
const userRecord = await User.get({ id: user.id }); const userRecord = await User.get({ id: user.id });
const oldPfpFilename = userRecord.pfpFilename; const oldPfpFilename = normalizePath(userRecord.pfpFilename);
console.log("oldPfpFilename", oldPfpFilename); console.log("oldPfpFilename", oldPfpFilename);
if (oldPfpFilename) { if (oldPfpFilename) {
const oldPfpPath = path.join( const oldPfpPath = path.join(

4
server/utils/files/pfp.js
View File

@ -2,6 +2,7 @@ const path = require("path");
const fs = require("fs"); const fs = require("fs");
const { getType } = require("mime"); const { getType } = require("mime");
const { User } = require("../../models/user"); const { User } = require("../../models/user");
const { normalizePath } = require(".");
function fetchPfp(pfpPath) { function fetchPfp(pfpPath) {
if (!fs.existsSync(pfpPath)) { if (!fs.existsSync(pfpPath)) {
@ -32,8 +33,7 @@ async function determinePfpFilepath(id) {
const basePath = process.env.STORAGE_DIR const basePath = process.env.STORAGE_DIR
? path.join(process.env.STORAGE_DIR, "assets/pfp") ? path.join(process.env.STORAGE_DIR, "assets/pfp")
: path.join(__dirname, "../../storage/assets/pfp"); : path.join(__dirname, "../../storage/assets/pfp");
const pfpFilepath = path.join(basePath, pfpFilename); const pfpFilepath = path.join(basePath, normalizePath(pfpFilename));
if (!fs.existsSync(pfpFilepath)) return null; if (!fs.existsSync(pfpFilepath)) return null;
return pfpFilepath; return pfpFilepath;
} }