UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2024-11-24 04:53:41 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: sanitize uploaded filename

Browse Source
This commit is contained in:
Mohamed Marrouchi 2024-10-18 18:03:57 +01:00
parent 879f5be1c2
commit 1da6e9e5e0
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/src/extensions/channels/offline/base-web-channel.ts
View File

@ -685,14 +685,20 @@ export default class BaseWebChannelHandler<
// Store file as attachment
const dirPath = path.join(config.parameters.uploadDir);
const filename = sanitize(
const sanitizedFilename = sanitize(
`${req.session.offline.profile.id}_${+new Date()}_${upload.name}`,
);
const filePath = path.resolve(dirPath, sanitizedFilename);
if (!filePath.startsWith(dirPath)) {
return next(new Error('Invalid file path!'), false);
}
if ('isSocket' in req && req.isSocket) {
// @TODO : test this
try {
await fsPromises.writeFile(path.join(dirPath, filename), upload.file);
this.storeAttachment(upload, filename, next);
await fsPromises.writeFile(filePath, upload.file);
this.storeAttachment(upload, sanitizedFilename, next);
} catch (err) {
this.logger.error(
'Offline Channel Handler : Unable to write uploaded file',