Try to fix final 2 CodeQL issues (others got fixed yay)

3 years ago · efbbd950be
parent ac1dc19ebf
commit efbbd950be
4 changed files with 51 additions and 2 deletions
--- a/ass.js
+++ b/ass.js
@ -25,7 +25,7 @@ const Vibrant = require('./vibrant');
 const Hash = require('./hash');
 const Path = require('path');
 const { uploadLocal, uploadS3, deleteS3 } = require('./storage');
-const { path, saveData, log, verify, generateToken, generateId, formatBytes, arrayEquals, getS3url, downloadTempS3 } = require('./utils');
+const { path, saveData, log, verify, generateToken, generateId, formatBytes, arrayEquals, getS3url, downloadTempS3, sanitize } = require('./utils');
 //#endregion

 //#region Variables, module setup
@ -107,6 +107,9 @@ function startup() {
 		req.file.randomId = req.randomId;
 		req.file.deleteId = req.deleteId;

+		// Sanitize filename just in case Multer didn't catch it
+		req.file.originalname = sanitize(req.file.originalname);
+
 		// Download a temp copy to work with if using S3 storage
 		(s3enabled ? downloadTempS3(req.file) : new Promise((resolve) => resolve()))

--- a/package-lock.json
+++ b/package-lock.json
@ -29,6 +29,7 @@
        "node-vibrant": "*",
        "prompt": "^1.1.0",
        "pug": "^3.0.2",
+        "sanitize-filename": "^1.6.3",
        "stream-to-array": "^2.3.0",
        "uuid": "^8.3.2"
      }
@ -2351,6 +2352,14 @@
      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
    },
+    "node_modules/sanitize-filename": {
+      "version": "1.6.3",
+      "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz",
+      "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==",
+      "dependencies": {
+        "truncate-utf8-bytes": "^1.0.0"
+      }
+    },
    "node_modules/sax": {
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.1.tgz",
@ -2482,6 +2491,14 @@
      "resolved": "https://registry.npmjs.org/token-stream/-/token-stream-1.0.0.tgz",
      "integrity": "sha1-zCAOqyYT9BZtJ/+a/HylbUnfbrQ="
    },
+    "node_modules/truncate-utf8-bytes": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz",
+      "integrity": "sha1-QFkjkJWS1W94pYGENLC3hInKXys=",
+      "dependencies": {
+        "utf8-byte-length": "^1.0.1"
+      }
+    },
    "node_modules/tweetnacl": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz",
@ -2537,6 +2554,11 @@
        "querystring": "0.2.0"
      }
    },
+    "node_modules/utf8-byte-length": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz",
+      "integrity": "sha1-9F8VDExm7uloGGUFq5P8u4rWv2E="
+    },
    "node_modules/utif": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/utif/-/utif-2.0.1.tgz",
@ -4552,6 +4574,14 @@
      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg=="
    },
+    "sanitize-filename": {
+      "version": "1.6.3",
+      "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz",
+      "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==",
+      "requires": {
+        "truncate-utf8-bytes": "^1.0.0"
+      }
+    },
    "sax": {
      "version": "1.2.1",
      "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.1.tgz",
@ -4661,6 +4691,14 @@
      "resolved": "https://registry.npmjs.org/token-stream/-/token-stream-1.0.0.tgz",
      "integrity": "sha1-zCAOqyYT9BZtJ/+a/HylbUnfbrQ="
    },
+    "truncate-utf8-bytes": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz",
+      "integrity": "sha1-QFkjkJWS1W94pYGENLC3hInKXys=",
+      "requires": {
+        "utf8-byte-length": "^1.0.1"
+      }
+    },
    "tweetnacl": {
      "version": "1.0.3",
      "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz",
@ -4704,6 +4742,11 @@
        "querystring": "0.2.0"
      }
    },
+    "utf8-byte-length": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz",
+      "integrity": "sha1-9F8VDExm7uloGGUFq5P8u4rWv2E="
+    },
    "utif": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/utif/-/utif-2.0.1.tgz",
--- a/package.json
+++ b/package.json
@ -45,6 +45,7 @@
    "node-vibrant": "*",
    "prompt": "^1.1.0",
    "pug": "^3.0.2",
+    "sanitize-filename": "^1.6.3",
    "stream-to-array": "^2.3.0",
    "uuid": "^8.3.2"
  }
--- a/utils.js
+++ b/utils.js
@ -1,6 +1,7 @@
 const fs = require('fs-extra');
 const Path = require('path');
 const fetch = require('node-fetch');
+const sanitize = require("sanitize-filename");
 const token = require('./generators/token');
 const zwsGen = require('./generators/zws');
 const randomGen = require('./generators/random');
@ -45,7 +46,8 @@ module.exports = {
 			.then((f2) => f2.body.pipe(fs.createWriteStream(Path.join(__dirname, 'uploads/', file.originalname)).on('close', () => resolve())))
 			.catch(reject)),
 	getS3url,
-	getSafeExt
+	getSafeExt,
+	sanitize
 }

 function getS3url(s3key, type) {