Normalize pfp path to prevent traversal

server/endpoints/system.js

@@ -502,7 +502,8 @@ function systemEndpoints(app) {
         }
 
         const userRecord = await User.get({ id: user.id });
-        const oldPfpFilename = userRecord.pfpFilename;
+        const oldPfpFilename = normalizePath(userRecord.pfpFilename);
+
         console.log("oldPfpFilename", oldPfpFilename);
         if (oldPfpFilename) {
           const oldPfpPath = path.join(
@@ -536,7 +537,7 @@ function systemEndpoints(app) {
       try {
         const user = await userFromSession(request, response);
         const userRecord = await User.get({ id: user.id });
-        const oldPfpFilename = userRecord.pfpFilename;
+        const oldPfpFilename = normalizePath(userRecord.pfpFilename);
         console.log("oldPfpFilename", oldPfpFilename);
         if (oldPfpFilename) {
           const oldPfpPath = path.join(

server/utils/files/pfp.js

@@ -2,6 +2,7 @@ const path = require("path");
 const fs = require("fs");
 const { getType } = require("mime");
 const { User } = require("../../models/user");
+const { normalizePath } = require(".");
 
 function fetchPfp(pfpPath) {
   if (!fs.existsSync(pfpPath)) {
@@ -32,8 +33,7 @@ async function determinePfpFilepath(id) {
   const basePath = process.env.STORAGE_DIR
     ? path.join(process.env.STORAGE_DIR, "assets/pfp")
     : path.join(__dirname, "../../storage/assets/pfp");
-  const pfpFilepath = path.join(basePath, pfpFilename);
-
+  const pfpFilepath = path.join(basePath, normalizePath(pfpFilename));
   if (!fs.existsSync(pfpFilepath)) return null;
   return pfpFilepath;
 }