|
|
|
@ -5,12 +5,10 @@
|
|
|
|
* payload and throw an error otherwise.
|
|
|
|
* payload and throw an error otherwise.
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
const fs = require('fs');
|
|
|
|
|
|
|
|
const fsPromises = fs.promises;
|
|
|
|
|
|
|
|
const path = require('path');
|
|
|
|
const path = require('path');
|
|
|
|
|
|
|
|
|
|
|
|
const nconf = require('nconf');
|
|
|
|
const nconf = require('nconf');
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
const file = require('../file');
|
|
|
|
const user = require('../user');
|
|
|
|
const user = require('../user');
|
|
|
|
const groups = require('../groups');
|
|
|
|
const groups = require('../groups');
|
|
|
|
const topics = require('../topics');
|
|
|
|
const topics = require('../topics');
|
|
|
|
@ -64,13 +62,12 @@ Assert.path = helpers.try(async (req, res, next) => {
|
|
|
|
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
|
|
|
|
const pathToFile = path.join(nconf.get('upload_path'), req.body.path);
|
|
|
|
res.locals.cleanedPath = pathToFile;
|
|
|
|
res.locals.cleanedPath = pathToFile;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Guard against path traversal
|
|
|
|
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
|
|
|
|
if (!pathToFile.startsWith(nconf.get('upload_path'))) {
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
|
|
|
|
return controllerHelpers.formatApiResponse(403, res, new Error('[[error:invalid-path]]'));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
try {
|
|
|
|
if (!await file.exists(pathToFile)) {
|
|
|
|
await fsPromises.access(pathToFile, fs.constants.F_OK);
|
|
|
|
|
|
|
|
} catch (e) {
|
|
|
|
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
|
|
|
|
return controllerHelpers.formatApiResponse(404, res, new Error('[[error:invalid-path]]'));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
Julian Lam
4 years ago