Normalize paths on files uploaded to prevent arbitrary file writes ()

* normalize paths on files uploaded to prevent arbitrary file writes

* force normalize path in string parse

---------

Co-authored-by: timothycarambat <rambat1010@gmail.com>
This commit is contained in:
Sean Hatfield 2024-12-31 06:29:10 +08:00 committed by GitHub
parent 99b6dedc8b
commit 0b7bf68f2c
No known key found for this signature in database
GPG key ID: B5690EEEBB952194

View file

@ -2,6 +2,7 @@ const multer = require("multer");
const path = require("path");
const fs = require("fs");
const { v4 } = require("uuid");
const { normalizePath } = require(".");
/**
* Handle File uploads for auto-uploading.
@ -16,8 +17,8 @@ const fileUploadStorage = multer.diskStorage({
cb(null, uploadOutput);
},
filename: function (_, file, cb) {
file.originalname = Buffer.from(file.originalname, "latin1").toString(
"utf8"
file.originalname = normalizePath(
Buffer.from(file.originalname, "latin1").toString("utf8")
);
cb(null, file.originalname);
},
@ -36,6 +37,7 @@ const fileAPIUploadStorage = multer.diskStorage({
cb(null, uploadOutput);
},
filename: function (_, file, cb) {
file.originalname = normalizePath(file.originalname);
cb(null, file.originalname);
},
});
@ -51,8 +53,8 @@ const assetUploadStorage = multer.diskStorage({
return cb(null, uploadOutput);
},
filename: function (_, file, cb) {
file.originalname = Buffer.from(file.originalname, "latin1").toString(
"utf8"
file.originalname = normalizePath(
Buffer.from(file.originalname, "latin1").toString("utf8")
);
cb(null, file.originalname);
},
@ -71,7 +73,9 @@ const pfpUploadStorage = multer.diskStorage({
return cb(null, uploadOutput);
},
filename: function (req, file, cb) {
const randomFileName = `${v4()}${path.extname(file.originalname)}`;
const randomFileName = `${v4()}${path.extname(
normalizePath(file.originalname)
)}`;
req.randomFileName = randomFileName;
cb(null, randomFileName);
},