From 1da6e9e5e05ac64eb564df334997345a1a060ef9 Mon Sep 17 00:00:00 2001
From: Mohamed Marrouchi <marrouchi.mohamed@gmail.com>
Date: Fri, 18 Oct 2024 18:03:57 +0100
Subject: [PATCH] fix: sanitize uploaded filename

---
 .../extensions/channels/offline/base-web-channel.ts  | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/api/src/extensions/channels/offline/base-web-channel.ts b/api/src/extensions/channels/offline/base-web-channel.ts
index 4c5a9c8..591672c 100644
--- a/api/src/extensions/channels/offline/base-web-channel.ts
+++ b/api/src/extensions/channels/offline/base-web-channel.ts
@@ -685,14 +685,20 @@ export default class BaseWebChannelHandler<
 
     // Store file as attachment
     const dirPath = path.join(config.parameters.uploadDir);
-    const filename = sanitize(
+    const sanitizedFilename = sanitize(
       `${req.session.offline.profile.id}_${+new Date()}_${upload.name}`,
     );
+    const filePath = path.resolve(dirPath, sanitizedFilename);
+
+    if (!filePath.startsWith(dirPath)) {
+      return next(new Error('Invalid file path!'), false);
+    }
+
     if ('isSocket' in req && req.isSocket) {
       // @TODO : test this
       try {
-        await fsPromises.writeFile(path.join(dirPath, filename), upload.file);
-        this.storeAttachment(upload, filename, next);
+        await fsPromises.writeFile(filePath, upload.file);
+        this.storeAttachment(upload, sanitizedFilename, next);
       } catch (err) {
         this.logger.error(
           'Offline Channel Handler : Unable to write uploaded file',