Sanitize some user inputs

karasevm · Jan 21, 2023 · 8378c5f · 8378c5f
1 parent 928ade3
commit 8378c5f
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 2 deletions.
diff --git a/packages/server/package.json b/packages/server/package.json
@@ -64,6 +64,7 @@
     "fluent-ffmpeg": "^2.1.2",
     "morgan": "^1.10.0",
     "nanoid": "^3.3.4",
+    "sanitize-filename": "^1.6.3",
     "sharp": "^0.31.3",
     "tmp": "^0.2.1",
     "winston": "^3.8.2"

diff --git a/packages/server/src/services/imageService.ts b/packages/server/src/services/imageService.ts
@@ -1,6 +1,7 @@
 import fs from 'fs';
 import path from 'path';
 import fileType from 'file-type';
+import sanitize from "sanitize-filename";
 import { customAlphabet } from 'nanoid/async';
 import { getImagesFromDB, insertImageIntoDB } from '../utils/db';
 import logger from '../utils/logger';
@@ -98,7 +99,7 @@ export const getImages = async (
 export const getImage = async (filename: string): Promise<Image> => {
   try {
     logger.verbose(`Looking for file ${filename}...`);
-    const file = fs.readFileSync(path.join(IMAGE_DIR, filename));
+    const file = fs.readFileSync(path.join(IMAGE_DIR, sanitize(filename)));
     logger.verbose('Found.');
     const type = await fileType.fromBuffer(file);
     if (type === undefined) {
@@ -117,7 +118,7 @@ export const getImage = async (filename: string): Promise<Image> => {
  */
 export const imageExists = async (filename: string): Promise<boolean> => {
   try {
-    if (fs.existsSync(path.join(IMAGE_DIR, filename))) {
+    if (fs.existsSync(path.join(IMAGE_DIR, sanitize(filename)))) {
       return true;
     }
     return false;

diff --git a/yarn.lock b/yarn.lock
@@ -14933,6 +14933,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"sanitize-filename@npm:^1.6.3":
+  version: 1.6.3
+  resolution: "sanitize-filename@npm:1.6.3"
+  dependencies:
+    truncate-utf8-bytes: ^1.0.0
+  checksum: aa733c012b7823cf65730603cf3b503c641cee6b239771d3164ca482f22d81a50e434a713938d994071db18e4202625669cc56bccc9d13d818b4c983b5f47fde
+  languageName: node
+  linkType: hard
+
 "sanitize.css@npm:*":
   version: 13.0.0
   resolution: "sanitize.css@npm:13.0.0"
@@ -15194,6 +15203,7 @@ __metadata:
     jest: ^26.6.3
     morgan: ^1.10.0
     nanoid: ^3.3.4
+    sanitize-filename: ^1.6.3
     sharp: ^0.31.3
     supertest: ^6.3.3
     tmp: ^0.2.1
@@ -16427,6 +16437,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"truncate-utf8-bytes@npm:^1.0.0":
+  version: 1.0.2
+  resolution: "truncate-utf8-bytes@npm:1.0.2"
+  dependencies:
+    utf8-byte-length: ^1.0.1
+  checksum: ad097314709ea98444ad9c80c03aac8da805b894f37ceb5685c49ad297483afe3a5ec9572ebcaff699dda72b6cd447a2ba2a3fd10e96c2628cd16d94abeb328a
+  languageName: node
+  linkType: hard
+
 "tryer@npm:^1.0.1":
   version: 1.0.1
   resolution: "tryer@npm:1.0.1"
@@ -16860,6 +16879,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"utf8-byte-length@npm:^1.0.1":
+  version: 1.0.4
+  resolution: "utf8-byte-length@npm:1.0.4"
+  checksum: f188ca076ec094d58e7009fcc32623c5830c7f0f3e15802bfa4fdd1e759454a481fc4ac05e0fa83b7736e77af628a9ee0e57dcc89683d688fde3811473e42143
+  languageName: node
+  linkType: hard
+
 "util-deprecate@npm:^1.0.1, util-deprecate@npm:^1.0.2, util-deprecate@npm:~1.0.1":
   version: 1.0.2
   resolution: "util-deprecate@npm:1.0.2"