[api] sanitize filenames on uploads

i1skn · Mar 13, 2020 · 3adf4ba · 3adf4ba
1 parent ac8ae1c
commit 3adf4ba
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/api/parts/mgmt/apps.js b/api/parts/mgmt/apps.js
@@ -163,6 +163,7 @@ const iconUpload = function(params) {
         const tmp_path = params.files.app_image.path,
             target_path = __dirname + '/../../../frontend/express/public/appimages/' + appId + ".png",
             type = params.files.app_image.type;
+
         if (type !== "image/png" && type !== "image/gif" && type !== "image/jpeg") {
             fs.unlink(tmp_path, function() {});
             log.d("Invalid file type");

diff --git a/api/utils/common.js b/api/utils/common.js
@@ -2283,4 +2283,21 @@ common.checkDatabaseConfigMatch = (apiConfig, frontendConfig) => {
     }
 };
 
-module.exports = common;
+/**
+ * Sanitizes a filename to prevent directory traversals and such.
+ * @param {string} filename -
+ * @param {string} replacement -
+ * @returns {string} sanitizedFilename -
+ */
+common.sanitizeFilename = (filename, replacement = "") => {
+    if (typeof filename !== "string") {
+        return "";
+    }
+
+    return filename
+        .replace(/[\x00-\x1f\x80-\x9f]+/g, replacement)
+        .replace(/[\/\?<>\\:\*\|"]/g, replacement)
+        .replace(/^\.{1,2}$/, replacement);
+};
+
+module.exports = common
diff --git a/frontend/express/app.js b/frontend/express/app.js
@@ -1270,6 +1270,8 @@ app.post(countlyConfig.path + '/apps/icon', function(req, res, next) {
         return true;
     }
 
+    req.body.app_image_id = common.sanitizeFilename(req.body.app_image_id);
+
     var tmp_path = req.files.app_image.path,
         target_path = __dirname + '/public/appimages/' + req.body.app_image_id + ".png",
         type = req.files.app_image.type;
@@ -1304,6 +1306,8 @@ app.post(countlyConfig.path + '/member/icon', function(req, res, next) {
         return true;
     }
 
+    req.body.member_image_id = common.sanitizeFilename(req.body.member_image_id);
+
     var tmp_path = req.files.member_image.path,
         target_path = __dirname + '/public/memberimages/' + req.body.member_image_id + ".png",
         type = req.files.member_image.type;