mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2024-10-02 08:50:11 +02:00
Normalize pfp path to prevent traversal
This commit is contained in:
parent
026849df02
commit
e1dcd5ded0
@ -502,7 +502,8 @@ function systemEndpoints(app) {
|
||||
}
|
||||
|
||||
const userRecord = await User.get({ id: user.id });
|
||||
const oldPfpFilename = userRecord.pfpFilename;
|
||||
const oldPfpFilename = normalizePath(userRecord.pfpFilename);
|
||||
|
||||
console.log("oldPfpFilename", oldPfpFilename);
|
||||
if (oldPfpFilename) {
|
||||
const oldPfpPath = path.join(
|
||||
@ -536,7 +537,7 @@ function systemEndpoints(app) {
|
||||
try {
|
||||
const user = await userFromSession(request, response);
|
||||
const userRecord = await User.get({ id: user.id });
|
||||
const oldPfpFilename = userRecord.pfpFilename;
|
||||
const oldPfpFilename = normalizePath(userRecord.pfpFilename);
|
||||
console.log("oldPfpFilename", oldPfpFilename);
|
||||
if (oldPfpFilename) {
|
||||
const oldPfpPath = path.join(
|
||||
|
@ -2,6 +2,7 @@ const path = require("path");
|
||||
const fs = require("fs");
|
||||
const { getType } = require("mime");
|
||||
const { User } = require("../../models/user");
|
||||
const { normalizePath } = require(".");
|
||||
|
||||
function fetchPfp(pfpPath) {
|
||||
if (!fs.existsSync(pfpPath)) {
|
||||
@ -32,8 +33,7 @@ async function determinePfpFilepath(id) {
|
||||
const basePath = process.env.STORAGE_DIR
|
||||
? path.join(process.env.STORAGE_DIR, "assets/pfp")
|
||||
: path.join(__dirname, "../../storage/assets/pfp");
|
||||
const pfpFilepath = path.join(basePath, pfpFilename);
|
||||
|
||||
const pfpFilepath = path.join(basePath, normalizePath(pfpFilename));
|
||||
if (!fs.existsSync(pfpFilepath)) return null;
|
||||
return pfpFilepath;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user