1
0
mirror of https://github.com/spacebarchat/server.git synced 2024-11-07 19:32:34 +01:00

🔒 fix path traversal security issue

This commit is contained in:
Flam3rboy 2021-08-07 13:15:26 +02:00
parent 320fef002e
commit a6eac74236

View File

@ -1,26 +1,24 @@
import { Storage } from "./Storage";
import fs from "fs";
import { join } from "path";
import { join, relative } from "path";
import "missing-native-js-functions";
function getPath(path: string) {
// STORAGE_LOCATION has a default value in start.ts
return join(process.env.STORAGE_LOCATION || "../", relative("/", path));
}
export class FileStorage implements Storage {
async get(path: string): Promise<Buffer | null> {
path = join(process.env.STORAGE_LOCATION || "", path);
try {
const file = fs.readFileSync(path);
// @ts-ignore
return file;
return fs.readFileSync(getPath(path));
} catch (error) {
return null;
}
}
async set(path: string, value: any) {
path = join(process.env.STORAGE_LOCATION || "", path).replace(/[\\]/g, "/");
const dir = path.split("/").slice(0, -1).join("/");
fs.mkdirSync(dir, { recursive: true });
return fs.writeFileSync(path, value, { encoding: "binary" });
return fs.writeFileSync(getPath(path), value, { encoding: "binary" });
}
async delete(path: string) {