From c5520c96b3fc1d3e31f0182ab42abfd8a6e2acea Mon Sep 17 00:00:00 2001
From: Mohamed Marrouchi <marrouchi.mohamed@gmail.com>
Date: Sun, 29 Dec 2024 10:08:34 +0100
Subject: [PATCH] fix: filename sanitization

---
 api/src/attachment/services/attachment.service.ts | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/api/src/attachment/services/attachment.service.ts b/api/src/attachment/services/attachment.service.ts
index ccbd0712..2c942228 100644
--- a/api/src/attachment/services/attachment.service.ts
+++ b/api/src/attachment/services/attachment.service.ts
@@ -17,6 +17,7 @@ import {
   StreamableFile,
 } from '@nestjs/common';
 import fetch from 'node-fetch';
+import sanitizeFilename from 'sanitize-filename';
 
 import { config } from '@/config';
 import { LoggerService } from '@/logger/logger.service';
@@ -203,12 +204,17 @@ export class AttachmentService extends BaseService<Attachment> {
     } else {
       const dirPath = path.join(config.parameters.uploadDir);
       const uniqueFilename = generateUniqueFilename(metadata.name);
-      const filePath = path.resolve(dirPath, uniqueFilename);
+      const filePath = path.resolve(dirPath, sanitizeFilename(uniqueFilename));
+
+      if (!filePath.startsWith(dirPath)) {
+        throw new Error('Invalid file path');
+      }
 
       if (typeof file === 'string') {
         // For example, if the file is an instance of `Express.Multer.File` (diskStorage case)
-        await fsPromises.copyFile(file, filePath);
-        await fsPromises.unlink(file);
+        const srcFilePath = path.resolve(file);
+        await fsPromises.copyFile(srcFilePath, filePath);
+        await fsPromises.unlink(srcFilePath);
       } else if (Buffer.isBuffer(file)) {
         await fsPromises.writeFile(filePath, file);
       } else if (file instanceof Readable) {