mirror of
https://github.com/spacebarchat/server.git
synced 2024-11-11 05:02:37 +01:00
🔒 fix path traversal security issue
This commit is contained in:
parent
320fef002e
commit
a6eac74236
@ -1,26 +1,24 @@
|
||||
import { Storage } from "./Storage";
|
||||
import fs from "fs";
|
||||
import { join } from "path";
|
||||
import { join, relative } from "path";
|
||||
import "missing-native-js-functions";
|
||||
|
||||
function getPath(path: string) {
|
||||
// STORAGE_LOCATION has a default value in start.ts
|
||||
return join(process.env.STORAGE_LOCATION || "../", relative("/", path));
|
||||
}
|
||||
|
||||
export class FileStorage implements Storage {
|
||||
async get(path: string): Promise<Buffer | null> {
|
||||
path = join(process.env.STORAGE_LOCATION || "", path);
|
||||
try {
|
||||
const file = fs.readFileSync(path);
|
||||
// @ts-ignore
|
||||
return file;
|
||||
return fs.readFileSync(getPath(path));
|
||||
} catch (error) {
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
async set(path: string, value: any) {
|
||||
path = join(process.env.STORAGE_LOCATION || "", path).replace(/[\\]/g, "/");
|
||||
const dir = path.split("/").slice(0, -1).join("/");
|
||||
fs.mkdirSync(dir, { recursive: true });
|
||||
|
||||
return fs.writeFileSync(path, value, { encoding: "binary" });
|
||||
return fs.writeFileSync(getPath(path), value, { encoding: "binary" });
|
||||
}
|
||||
|
||||
async delete(path: string) {
|
||||
|
Loading…
Reference in New Issue
Block a user