🔒 fix path traversal security issue
This commit is contained in:
parent
320fef002e
commit
a6eac74236
@ -1,26 +1,24 @@
|
|||||||
import { Storage } from "./Storage";
|
import { Storage } from "./Storage";
|
||||||
import fs from "fs";
|
import fs from "fs";
|
||||||
import { join } from "path";
|
import { join, relative } from "path";
|
||||||
import "missing-native-js-functions";
|
import "missing-native-js-functions";
|
||||||
|
|
||||||
|
function getPath(path: string) {
|
||||||
|
// STORAGE_LOCATION has a default value in start.ts
|
||||||
|
return join(process.env.STORAGE_LOCATION || "../", relative("/", path));
|
||||||
|
}
|
||||||
|
|
||||||
export class FileStorage implements Storage {
|
export class FileStorage implements Storage {
|
||||||
async get(path: string): Promise<Buffer | null> {
|
async get(path: string): Promise<Buffer | null> {
|
||||||
path = join(process.env.STORAGE_LOCATION || "", path);
|
|
||||||
try {
|
try {
|
||||||
const file = fs.readFileSync(path);
|
return fs.readFileSync(getPath(path));
|
||||||
// @ts-ignore
|
|
||||||
return file;
|
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
return null;
|
return null;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
async set(path: string, value: any) {
|
async set(path: string, value: any) {
|
||||||
path = join(process.env.STORAGE_LOCATION || "", path).replace(/[\\]/g, "/");
|
return fs.writeFileSync(getPath(path), value, { encoding: "binary" });
|
||||||
const dir = path.split("/").slice(0, -1).join("/");
|
|
||||||
fs.mkdirSync(dir, { recursive: true });
|
|
||||||
|
|
||||||
return fs.writeFileSync(path, value, { encoding: "binary" });
|
|
||||||
}
|
}
|
||||||
|
|
||||||
async delete(path: string) {
|
async delete(path: string) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user