From 3ea66f84e1332f6b51e4b3ba4f5cff3d5eb53638 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 3 Dec 2020 07:41:14 -0500
Subject: [PATCH] fix: use file lib instead of directly accessing fs (for
 Assert.path)

---
 src/middleware/assert.js | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/middleware/assert.js b/src/middleware/assert.js
index 6ad369b4a3..714beb6df3 100644
--- a/src/middleware/assert.js
+++ b/src/middleware/assert.js
@@ -5,12 +5,10 @@
  * payload and throw an error otherwise.
  */
 
-const fs = require('fs');
-const fsPromises = fs.promises;
 const path = require('path');
-
 const nconf = require('nconf');
 
+const file = require('../file');
 const user = require('../user');
 const groups = require('../groups');
 const topics = require('../topics');
@@ -64,13 +62,12 @@ Assert.path = helpers.try(async (req, res, next) => {
 	const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
 	res.locals.cleanedPath = pathToFile;
 
+	// Guard against path traversal
 	if (!pathToFile.startsWith(nconf.get('upload_path'))) {
 		return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
 	}
 
-	try {
-		await fsPromises.access(pathToFile, fs.constants.F_OK);
-	} catch (e) {
+	if (!await file.exists(pathToFile)) {
 		return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
 	}