zoriya/flood
1
0
Fork 0
mirror of https://github.com/zoriya/flood.git synced 2026-06-01 10:35:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

server: add a function to sanitize paths

Browse Source
This commit is contained in:
Jesse Chan
2020-08-27 11:22:57 +08:00
parent 3869f90fcc
commit d65451bfbb
4 changed files with 12 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/models/ClientRequest.js
-1
View File
@@ -1,7 +1,6 @@
/**
* This file is deprecated in favor of clientGatewayService.
*/
const fs = require('fs');
const mv = require('mv');
const path = require('path');
const util = require('util');
server/models/Filesystem.js
+1 -1
View File
@@ -7,7 +7,7 @@ const fileUtil = require('../util/fileUtil');
const getDirectoryList = (options, callback) => {
const sourcePath = (options.path || '/').replace(/^~/, os.homedir());
const resolvedPath = path.resolve(sourcePath);
const resolvedPath = fileUtil.sanitizePath(sourcePath);
if (!fileUtil.isAllowedPath(resolvedPath)) {
callback(null, fileUtil.accessDeniedError());
return;
server/models/client.js
+3 -3
View File
@@ -24,7 +24,7 @@ const client = {
tags = tags.split(',');
}
const resolvedPath = path.resolve(destinationPath);
const resolvedPath = fileUtil.sanitizePath(destinationPath);
if (!fileUtil.isAllowedPath(resolvedPath)) {
callback(null, fileUtil.accessDeniedError());
return;
@@ -65,7 +65,7 @@ const client = {
addUrls(user, services, data, callback) {
const {urls, destination, isBasePath, start, tags} = data;
const request = new ClientRequest(user, services);
const resolvedPath = path.resolve(destination);
const resolvedPath = fileUtil.sanitizePath(destination);
if (!fileUtil.isAllowedPath(resolvedPath)) {
callback(null, fileUtil.accessDeniedError());
return;
@@ -242,7 +242,7 @@ const client = {
const {isBasePath, hashes, filenames, moveFiles, sourcePaths, isCheckHash} = data;
const mainRequest = new ClientRequest(user, services);
const resolvedPath = path.resolve(destinationPath);
const resolvedPath = fileUtil.sanitizePath(destinationPath);
if (!fileUtil.isAllowedPath(resolvedPath)) {
callback(null, fileUtil.accessDeniedError());
return;
server/util/fileUtil.js
+8
View File
@@ -1,4 +1,5 @@
const fs = require('fs');
const path = require('path');
const config = require('../../config');
@@ -24,6 +25,12 @@ const isAllowedPath = (resolvedPath) => {
});
};
const sanitizePath = (input) => {
// eslint-disable-next-line no-control-regex
const controlRe = /[\x00-\x1f\x80-\x9f]/g;
return path.resolve(input).replace(controlRe, '');
};
const accessDeniedError = () => {
const error = new Error();
error.code = 'EACCES';
@@ -33,6 +40,7 @@ const accessDeniedError = () => {
const fileUtil = {
createDirectory,
isAllowedPath,
sanitizePath,
accessDeniedError,
};