UniqAI/hexabot
1
0
Fork 0
mirror of https://github.com/hexastack/hexabot synced 2025-05-31 10:57:06 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix: filename sanitization

Browse Source
This commit is contained in:
Mohamed Marrouchi 2024-12-29 10:08:34 +01:00
parent b66093612d
commit c5520c96b3
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/src/attachment/services/attachment.service.ts
View File

@ -17,6 +17,7 @@ import {
StreamableFile,
} from '@nestjs/common';
import fetch from 'node-fetch';
import sanitizeFilename from 'sanitize-filename';
import { config } from '@/config';
import { LoggerService } from '@/logger/logger.service';
@ -203,12 +204,17 @@ export class AttachmentService extends BaseService<Attachment> {
} else {
const dirPath = path.join(config.parameters.uploadDir);
const uniqueFilename = generateUniqueFilename(metadata.name);
const filePath = path.resolve(dirPath, uniqueFilename);
const filePath = path.resolve(dirPath, sanitizeFilename(uniqueFilename));
if (!filePath.startsWith(dirPath)) {
throw new Error('Invalid file path');
}
if (typeof file === 'string') {
// For example, if the file is an instance of `Express.Multer.File` (diskStorage case)
await fsPromises.copyFile(file, filePath);
await fsPromises.unlink(file);
const srcFilePath = path.resolve(file);
await fsPromises.copyFile(srcFilePath, filePath);
await fsPromises.unlink(srcFilePath);
} else if (Buffer.isBuffer(file)) {
await fsPromises.writeFile(filePath, file);
} else if (file instanceof Readable) {