From 0b7bf68f2c02ca68075970fbf85d5a70ca5e94ca Mon Sep 17 00:00:00 2001
From: Sean Hatfield <seanhatfield5@gmail.com>
Date: Tue, 31 Dec 2024 06:29:10 +0800
Subject: [PATCH] Normalize paths on files uploaded to prevent arbitrary file
 writes (#2905)

* normalize paths on files uploaded to prevent arbitrary file writes

* force normalize path in string parse

---------

Co-authored-by: timothycarambat <rambat1010@gmail.com>
---
 server/utils/files/multer.js | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/server/utils/files/multer.js b/server/utils/files/multer.js
index a4b90042e..18c6df607 100644
--- a/server/utils/files/multer.js
+++ b/server/utils/files/multer.js
@@ -2,6 +2,7 @@ const multer = require("multer");
 const path = require("path");
 const fs = require("fs");
 const { v4 } = require("uuid");
+const { normalizePath } = require(".");
 
 /**
  * Handle File uploads for auto-uploading.
@@ -16,8 +17,8 @@ const fileUploadStorage = multer.diskStorage({
     cb(null, uploadOutput);
   },
   filename: function (_, file, cb) {
-    file.originalname = Buffer.from(file.originalname, "latin1").toString(
-      "utf8"
+    file.originalname = normalizePath(
+      Buffer.from(file.originalname, "latin1").toString("utf8")
     );
     cb(null, file.originalname);
   },
@@ -36,6 +37,7 @@ const fileAPIUploadStorage = multer.diskStorage({
     cb(null, uploadOutput);
   },
   filename: function (_, file, cb) {
+    file.originalname = normalizePath(file.originalname);
     cb(null, file.originalname);
   },
 });
@@ -51,8 +53,8 @@ const assetUploadStorage = multer.diskStorage({
     return cb(null, uploadOutput);
   },
   filename: function (_, file, cb) {
-    file.originalname = Buffer.from(file.originalname, "latin1").toString(
-      "utf8"
+    file.originalname = normalizePath(
+      Buffer.from(file.originalname, "latin1").toString("utf8")
     );
     cb(null, file.originalname);
   },
@@ -71,7 +73,9 @@ const pfpUploadStorage = multer.diskStorage({
     return cb(null, uploadOutput);
   },
   filename: function (req, file, cb) {
-    const randomFileName = `${v4()}${path.extname(file.originalname)}`;
+    const randomFileName = `${v4()}${path.extname(
+      normalizePath(file.originalname)
+    )}`;
     req.randomFileName = randomFileName;
     cb(null, randomFileName);
   },
-- 
GitLab