From efbbd950be13de7c7af99b92250f8e8cb64527a2 Mon Sep 17 00:00:00 2001 From: tycrek Date: Thu, 17 Jun 2021 12:18:52 -0600 Subject: [PATCH] Try to fix final 2 CodeQL issues (others got fixed yay) --- ass.js | 5 ++++- package-lock.json | 43 +++++++++++++++++++++++++++++++++++++++++++ package.json | 1 + utils.js | 4 +++- 4 files changed, 51 insertions(+), 2 deletions(-) diff --git a/ass.js b/ass.js index ffd16d9..d38e941 100755 --- a/ass.js +++ b/ass.js @@ -25,7 +25,7 @@ const Vibrant = require('./vibrant'); const Hash = require('./hash'); const Path = require('path'); const { uploadLocal, uploadS3, deleteS3 } = require('./storage'); -const { path, saveData, log, verify, generateToken, generateId, formatBytes, arrayEquals, getS3url, downloadTempS3 } = require('./utils'); +const { path, saveData, log, verify, generateToken, generateId, formatBytes, arrayEquals, getS3url, downloadTempS3, sanitize } = require('./utils'); //#endregion //#region Variables, module setup @@ -107,6 +107,9 @@ function startup() { req.file.randomId = req.randomId; req.file.deleteId = req.deleteId; + // Sanitize filename just in case Multer didn't catch it + req.file.originalname = sanitize(req.file.originalname); + // Download a temp copy to work with if using S3 storage (s3enabled ? downloadTempS3(req.file) : new Promise((resolve) => resolve())) diff --git a/package-lock.json b/package-lock.json index f7c6818..83fdfba 100755 --- a/package-lock.json +++ b/package-lock.json @@ -29,6 +29,7 @@ "node-vibrant": "*", "prompt": "^1.1.0", "pug": "^3.0.2", + "sanitize-filename": "^1.6.3", "stream-to-array": "^2.3.0", "uuid": "^8.3.2" } @@ -2351,6 +2352,14 @@ "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, + "node_modules/sanitize-filename": { + "version": "1.6.3", + "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz", + "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==", + "dependencies": { + "truncate-utf8-bytes": "^1.0.0" + } + }, "node_modules/sax": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.1.tgz", @@ -2482,6 +2491,14 @@ "resolved": "https://registry.npmjs.org/token-stream/-/token-stream-1.0.0.tgz", "integrity": "sha1-zCAOqyYT9BZtJ/+a/HylbUnfbrQ=" }, + "node_modules/truncate-utf8-bytes": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz", + "integrity": "sha1-QFkjkJWS1W94pYGENLC3hInKXys=", + "dependencies": { + "utf8-byte-length": "^1.0.1" + } + }, "node_modules/tweetnacl": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz", @@ -2537,6 +2554,11 @@ "querystring": "0.2.0" } }, + "node_modules/utf8-byte-length": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz", + "integrity": "sha1-9F8VDExm7uloGGUFq5P8u4rWv2E=" + }, "node_modules/utif": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/utif/-/utif-2.0.1.tgz", @@ -4552,6 +4574,14 @@ "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==" }, + "sanitize-filename": { + "version": "1.6.3", + "resolved": "https://registry.npmjs.org/sanitize-filename/-/sanitize-filename-1.6.3.tgz", + "integrity": "sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg==", + "requires": { + "truncate-utf8-bytes": "^1.0.0" + } + }, "sax": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/sax/-/sax-1.2.1.tgz", @@ -4661,6 +4691,14 @@ "resolved": "https://registry.npmjs.org/token-stream/-/token-stream-1.0.0.tgz", "integrity": "sha1-zCAOqyYT9BZtJ/+a/HylbUnfbrQ=" }, + "truncate-utf8-bytes": { + "version": "1.0.2", + "resolved": "https://registry.npmjs.org/truncate-utf8-bytes/-/truncate-utf8-bytes-1.0.2.tgz", + "integrity": "sha1-QFkjkJWS1W94pYGENLC3hInKXys=", + "requires": { + "utf8-byte-length": "^1.0.1" + } + }, "tweetnacl": { "version": "1.0.3", "resolved": "https://registry.npmjs.org/tweetnacl/-/tweetnacl-1.0.3.tgz", @@ -4704,6 +4742,11 @@ "querystring": "0.2.0" } }, + "utf8-byte-length": { + "version": "1.0.4", + "resolved": "https://registry.npmjs.org/utf8-byte-length/-/utf8-byte-length-1.0.4.tgz", + "integrity": "sha1-9F8VDExm7uloGGUFq5P8u4rWv2E=" + }, "utif": { "version": "2.0.1", "resolved": "https://registry.npmjs.org/utif/-/utif-2.0.1.tgz", diff --git a/package.json b/package.json index d2dfac4..f0da8bb 100755 --- a/package.json +++ b/package.json @@ -45,6 +45,7 @@ "node-vibrant": "*", "prompt": "^1.1.0", "pug": "^3.0.2", + "sanitize-filename": "^1.6.3", "stream-to-array": "^2.3.0", "uuid": "^8.3.2" } diff --git a/utils.js b/utils.js index 2bec395..d2440d8 100755 --- a/utils.js +++ b/utils.js @@ -1,6 +1,7 @@ const fs = require('fs-extra'); const Path = require('path'); const fetch = require('node-fetch'); +const sanitize = require("sanitize-filename"); const token = require('./generators/token'); const zwsGen = require('./generators/zws'); const randomGen = require('./generators/random'); @@ -45,7 +46,8 @@ module.exports = { .then((f2) => f2.body.pipe(fs.createWriteStream(Path.join(__dirname, 'uploads/', file.originalname)).on('close', () => resolve()))) .catch(reject)), getS3url, - getSafeExt + getSafeExt, + sanitize } function getS3url(s3key, type) {