Normalize paths on files uploaded to prevent arbitrary file writes (#2905)

* normalize paths on files uploaded to prevent arbitrary file writes

* force normalize path in string parse

---------

Co-authored-by: timothycarambat <rambat1010@gmail.com>

server/utils/files/multer.js

@@ -2,6 +2,7 @@ const multer = require("multer");
 const path = require("path");
 const fs = require("fs");
 const { v4 } = require("uuid");
+const { normalizePath } = require(".");
 
 /**
  * Handle File uploads for auto-uploading.
@@ -16,8 +17,8 @@ const fileUploadStorage = multer.diskStorage({
     cb(null, uploadOutput);
   },
   filename: function (_, file, cb) {
-    file.originalname = Buffer.from(file.originalname, "latin1").toString(
-      "utf8"
+    file.originalname = normalizePath(
+      Buffer.from(file.originalname, "latin1").toString("utf8")
     );
     cb(null, file.originalname);
   },
@@ -36,6 +37,7 @@ const fileAPIUploadStorage = multer.diskStorage({
     cb(null, uploadOutput);
   },
   filename: function (_, file, cb) {
+    file.originalname = normalizePath(file.originalname);
     cb(null, file.originalname);
   },
 });
@@ -51,8 +53,8 @@ const assetUploadStorage = multer.diskStorage({
     return cb(null, uploadOutput);
   },
   filename: function (_, file, cb) {
-    file.originalname = Buffer.from(file.originalname, "latin1").toString(
-      "utf8"
+    file.originalname = normalizePath(
+      Buffer.from(file.originalname, "latin1").toString("utf8")
     );
     cb(null, file.originalname);
   },
@@ -71,7 +73,9 @@ const pfpUploadStorage = multer.diskStorage({
     return cb(null, uploadOutput);
   },
   filename: function (req, file, cb) {
-    const randomFileName = `${v4()}${path.extname(file.originalname)}`;
+    const randomFileName = `${v4()}${path.extname(
+      normalizePath(file.originalname)
+    )}`;
     req.randomFileName = randomFileName;
     cb(null, randomFileName);
   },