Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-30 02:25:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: use file lib instead of directly accessing fs (for Assert.path)

Browse Source
This commit is contained in:
Julian Lam
2020-12-03 07:41:14 -05:00
parent 698718f87c
commit 3ea66f84e1
1 changed files with 3 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
src/middleware/assert.js
View File

@@ -5,12 +5,10 @@
* payload and throw an error otherwise. * payload and throw an error otherwise.
*/ */
const fs = require('fs');
const fsPromises = fs.promises;
const path = require('path'); const path = require('path');
const nconf = require('nconf'); const nconf = require('nconf');
const file = require('../file');
const user = require('../user'); const user = require('../user');
const groups = require('../groups'); const groups = require('../groups');
const topics = require('../topics'); const topics = require('../topics');
@@ -64,13 +62,12 @@ Assert.path = helpers.try(async (req, res, next) => {
const pathToFile = path.join(nconf.get('upload_path'), req.body.path); const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
res.locals.cleanedPath = pathToFile; res.locals.cleanedPath = pathToFile;
// Guard against path traversal
if (!pathToFile.startsWith(nconf.get('upload_path'))) { if (!pathToFile.startsWith(nconf.get('upload_path'))) {
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]')); return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
} }
try { if (!await file.exists(pathToFile)) {
await fsPromises.access(pathToFile, fs.constants.F_OK);
} catch (e) {
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]')); return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
} }