🐛 fix cors

src/Server.ts

@@ -18,6 +18,17 @@ export class CDNServer extends Server {
 		await (db as Promise<Connection>);
 		await Config.init();
 		console.log("[Database] connected");
+		this.app.use((req, res, next) => {
+			res.set("Access-Control-Allow-Origin", "*");
+			// TODO: use better CSP policy
+			res.set(
+				"Content-security-policy",
+				"default-src *  data: blob: filesystem: about: ws: wss: 'unsafe-inline' 'unsafe-eval'; script-src * data: blob: 'unsafe-inline' 'unsafe-eval'; connect-src * data: blob: 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src * data: blob: ; style-src * data: blob: 'unsafe-inline'; font-src * data: blob: 'unsafe-inline';"
+			);
+			res.set("Access-Control-Allow-Headers", req.header("Access-Control-Request-Headers") || "*");
+			res.set("Access-Control-Allow-Methods", req.header("Access-Control-Request-Methods") || "*");
+			next();
+		});
 
 		await this.registerRoutes(path.join(__dirname, "routes/"));
 

src/util/FileStorage.ts

@@ -4,9 +4,12 @@ import { join, relative } from "path";
 import "missing-native-js-functions";
 
 function getPath(path: string) {
-	if (path.indexOf("\0") !== -1 || !/^[a-z0-9]+$/.test(path)) throw new Error("invalid path");
 	// STORAGE_LOCATION has a default value in start.ts
-	return join(process.env.STORAGE_LOCATION || "../", path);
+	const root = process.env.STORAGE_LOCATION || "../";
+	var filename = join(root, path);
+
+	if (path.indexOf("\0") !== -1 || !filename.startsWith(root)) throw new Error("invalid path");
+	return filename;
 }
 
 export class FileStorage implements Storage {
@@ -19,7 +22,11 @@ export class FileStorage implements Storage {
 	}
 
 	async set(path: string, value: any) {
-		return fs.writeFileSync(getPath(path), value, { encoding: "binary" });
+		path = getPath(path);
+		const dir = path.split("/").slice(0, -1).join("/");
+		fs.mkdirSync(dir, { recursive: true });
+
+		return fs.writeFileSync(path, value, { encoding: "binary" });
 	}
 
 	async delete(path: string) {