Skip to content

Commit

Permalink
Normalize pfp path to prevent traversal
Browse files Browse the repository at this point in the history
  • Loading branch information
timothycarambat committed Jan 15, 2024
1 parent 026849d commit e1dcd5d
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 4 deletions.
5 changes: 3 additions & 2 deletions server/endpoints/system.js
Original file line number Diff line number Diff line change
Expand Up @@ -502,7 +502,8 @@ function systemEndpoints(app) {
}

const userRecord = await User.get({ id: user.id });
const oldPfpFilename = userRecord.pfpFilename;
const oldPfpFilename = normalizePath(userRecord.pfpFilename);

console.log("oldPfpFilename", oldPfpFilename);
if (oldPfpFilename) {
const oldPfpPath = path.join(
Expand Down Expand Up @@ -536,7 +537,7 @@ function systemEndpoints(app) {
try {
const user = await userFromSession(request, response);
const userRecord = await User.get({ id: user.id });
const oldPfpFilename = userRecord.pfpFilename;
const oldPfpFilename = normalizePath(userRecord.pfpFilename);
console.log("oldPfpFilename", oldPfpFilename);
if (oldPfpFilename) {
const oldPfpPath = path.join(
Expand Down
4 changes: 2 additions & 2 deletions server/utils/files/pfp.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ const path = require("path");
const fs = require("fs");
const { getType } = require("mime");
const { User } = require("../../models/user");
const { normalizePath } = require(".");

function fetchPfp(pfpPath) {
if (!fs.existsSync(pfpPath)) {
Expand Down Expand Up @@ -32,8 +33,7 @@ async function determinePfpFilepath(id) {
const basePath = process.env.STORAGE_DIR
? path.join(process.env.STORAGE_DIR, "assets/pfp")
: path.join(__dirname, "../../storage/assets/pfp");
const pfpFilepath = path.join(basePath, pfpFilename);

const pfpFilepath = path.join(basePath, normalizePath(pfpFilename));
if (!fs.existsSync(pfpFilepath)) return null;
return pfpFilepath;
}
Expand Down

0 comments on commit e1dcd5d

Please # to comment.