fix: check brand:touchIcon for correct path

2025-11-02 20:16:04 +01:00 · 2025-09-12 19:19:52 -04:00
parent f9ddbebacc
commit 56fad0be0d
2 changed files with 21 additions and 5 deletions
--- a/src/middleware/index.js
+++ b/src/middleware/index.js
@@ -145,12 +145,18 @@ middleware.logApiUsage = async function logApiUsage(req, res, next) {
 };

 middleware.routeTouchIcon = function routeTouchIcon(req, res) {
-	if (meta.config['brand:touchIcon'] && validator.isURL(meta.config['brand:touchIcon'])) {
-		return res.redirect(meta.config['brand:touchIcon']);
+	const brandTouchIcon = meta.config['brand:touchIcon'];
+	if (brandTouchIcon && validator.isURL(brandTouchIcon)) {
+		return res.redirect(brandTouchIcon);
 	}
+
 	let iconPath = '';
-	if (meta.config['brand:touchIcon']) {
-		iconPath = path.join(nconf.get('upload_path'), meta.config['brand:touchIcon'].replace(/assets\/uploads/, ''));
+	if (brandTouchIcon) {
+		const uploadPath = nconf.get('upload_path');
+		iconPath = path.join(uploadPath, brandTouchIcon.replace(/assets\/uploads/, ''));
+		if (!iconPath.startsWith(uploadPath)) {
+			return res.status(404).send('Not found');
+		}
 	} else {
 		iconPath = path.join(nconf.get('base_dir'), 'public/images/touch/512.png');
 	}
--- a/test/controllers.js
+++ b/test/controllers.js
@@ -6,8 +6,8 @@ const fs = require('fs');
 const path = require('path');
 const util = require('util');

-const request = require('../src/request');
 const db = require('./mocks/databasemock');
+const request = require('../src/request');
 const api = require('../src/api');
 const categories = require('../src/categories');
 const topics = require('../src/topics');
@@ -692,6 +692,16 @@ describe('Controllers', () => {
 		assert(body);
 	});

+	it('should 404 if brand:touchIcon is not valid', async () => {
+		const oldValue = meta.config['brand:touchIcon'];
+		meta.config['brand:touchIcon'] = '../../not/valid';
+
+		const { response, body } = await request.get(`${nconf.get('url')}/apple-touch-icon`);
+		assert.strictEqual(response.statusCode, 404);
+		assert.strictEqual(body, 'Not found');
+		meta.config['brand:touchIcon'] = oldValue;
+	})
+

 	it('should error if guests do not have search privilege', async () => {
 		const { response, body } = await request.get(`${nconf.get('url')}/api/users?query=bar&section=sort-posts`);