UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2024-11-24 04:53:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: sanitize uploaded filename

Browse Source
This commit is contained in:
Mohamed Marrouchi 2024-10-18 18:03:57 +01:00
parent 879f5be1c2
commit 1da6e9e5e0
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/src/extensions/channels/offline/base-web-channel.ts
View File

@ -685,14 +685,20 @@ export default class BaseWebChannelHandler<
// Store file as attachment // Store file as attachment
const dirPath = path.join(config.parameters.uploadDir); const dirPath = path.join(config.parameters.uploadDir);
const filename = sanitize( const sanitizedFilename = sanitize(
`${req.session.offline.profile.id}_${+new Date()}_${upload.name}`, `${req.session.offline.profile.id}_${+new Date()}_${upload.name}`,
); );
const filePath = path.resolve(dirPath, sanitizedFilename);
if (!filePath.startsWith(dirPath)) {
return next(new Error('Invalid file path!'), false);
}
if ('isSocket' in req && req.isSocket) { if ('isSocket' in req && req.isSocket) {
// @TODO : test this // @TODO : test this
try { try {
await fsPromises.writeFile(path.join(dirPath, filename), upload.file); await fsPromises.writeFile(filePath, upload.file);
this.storeAttachment(upload, filename, next); this.storeAttachment(upload, sanitizedFilename, next);
} catch (err) { } catch (err) {
this.logger.error( this.logger.error(
'Offline Channel Handler : Unable to write uploaded file', 'Offline Channel Handler : Unable to write uploaded file',