🔒 fix path traversal security issue

This commit is contained in:
Flam3rboy 2021-08-07 13:15:26 +02:00
parent 320fef002e
commit a6eac74236

View File

@ -1,26 +1,24 @@
import { Storage } from "./Storage"; import { Storage } from "./Storage";
import fs from "fs"; import fs from "fs";
import { join } from "path"; import { join, relative } from "path";
import "missing-native-js-functions"; import "missing-native-js-functions";
function getPath(path: string) {
// STORAGE_LOCATION has a default value in start.ts
return join(process.env.STORAGE_LOCATION || "../", relative("/", path));
}
export class FileStorage implements Storage { export class FileStorage implements Storage {
async get(path: string): Promise<Buffer | null> { async get(path: string): Promise<Buffer | null> {
path = join(process.env.STORAGE_LOCATION || "", path);
try { try {
const file = fs.readFileSync(path); return fs.readFileSync(getPath(path));
// @ts-ignore
return file;
} catch (error) { } catch (error) {
return null; return null;
} }
} }
async set(path: string, value: any) { async set(path: string, value: any) {
path = join(process.env.STORAGE_LOCATION || "", path).replace(/[\\]/g, "/"); return fs.writeFileSync(getPath(path), value, { encoding: "binary" });
const dir = path.split("/").slice(0, -1).join("/");
fs.mkdirSync(dir, { recursive: true });
return fs.writeFileSync(path, value, { encoding: "binary" });
} }
async delete(path: string) { async delete(path: string) {