From e1dcd5ded010b03abd6aa32d1bf0668a48e38e17 Mon Sep 17 00:00:00 2001
From: timothycarambat <rambat1010@gmail.com>
Date: Sun, 14 Jan 2024 16:53:44 -0800
Subject: [PATCH] Normalize pfp path to prevent traversal
---
server/endpoints/system.js | 5 +++--
server/utils/files/pfp.js | 4 ++--
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 6d985065c..39b77a6a1 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -502,7 +502,8 @@ function systemEndpoints(app) {
}
const userRecord = await User.get({ id: user.id });
- const oldPfpFilename = userRecord.pfpFilename;
+ const oldPfpFilename = normalizePath(userRecord.pfpFilename);
+
console.log("oldPfpFilename", oldPfpFilename);
if (oldPfpFilename) {
const oldPfpPath = path.join(
@@ -536,7 +537,7 @@ function systemEndpoints(app) {
try {
const user = await userFromSession(request, response);
const userRecord = await User.get({ id: user.id });
- const oldPfpFilename = userRecord.pfpFilename;
+ const oldPfpFilename = normalizePath(userRecord.pfpFilename);
console.log("oldPfpFilename", oldPfpFilename);
if (oldPfpFilename) {
const oldPfpPath = path.join(
diff --git a/server/utils/files/pfp.js b/server/utils/files/pfp.js
index 943aa595f..dd6ba0fe2 100644
--- a/server/utils/files/pfp.js
+++ b/server/utils/files/pfp.js
@@ -2,6 +2,7 @@ const path = require("path");
const fs = require("fs");
const { getType } = require("mime");
const { User } = require("../../models/user");
+const { normalizePath } = require(".");
function fetchPfp(pfpPath) {
if (!fs.existsSync(pfpPath)) {
@@ -32,8 +33,7 @@ async function determinePfpFilepath(id) {
const basePath = process.env.STORAGE_DIR
? path.join(process.env.STORAGE_DIR, "assets/pfp")
: path.join(__dirname, "../../storage/assets/pfp");
- const pfpFilepath = path.join(basePath, pfpFilename);
-
+ const pfpFilepath = path.join(basePath, normalizePath(pfpFilename));
if (!fs.existsSync(pfpFilepath)) return null;
return pfpFilepath;
}
--
GitLab