Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: do not allow thumb deletion route to arbitrarily delete other files in uploads folder

Browse Source
This commit is contained in:
Julian Lam
2020-12-04 13:30:28 -05:00
parent 5950683316
commit c09c238e3f
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/topics/thumbs.js
View File

@@ -64,8 +64,9 @@ Thumbs.delete = async function (id, relativePath) {
if (associated) {
await db.sortedSetRemove(set, relativePath);
}
if (existsOnDisk) {
await file.delete(absolutePath);
}
}
};

7
test/topics/thumbs.js
View File

@@ -127,6 +127,7 @@ describe('Topic thumbs', () => {
describe(`.delete()`, () => {
it('should remove a file from sorted set AND disk', async () => {
await topics.thumbs.associate(1, thumbPaths[0]);
await topics.thumbs.delete(1, thumbPaths[0]);
assert.strictEqual(await db.isSortedSetMember('topic:1:thumbs', thumbPaths[0]), false);
@@ -140,6 +141,12 @@ describe('Topic thumbs', () => {
assert.strictEqual(await db.isSortedSetMember(`draft:${uuid}:thumbs`, thumbPaths[1]), false);
assert.strictEqual(await file.exists(`${nconf.get('upload_path')}/${thumbPaths[1]}`), false);
});
it('should not delete the file from disk if not associated with the tid', async () => {
createFiles();
await topics.thumbs.delete(uuid, thumbPaths[0]);
assert.strictEqual(await file.exists(`${nconf.get('upload_path')}/${thumbPaths[0]}`), true);
});
});
describe('HTTP calls to topic thumb routes', () => {