fix: translator path traversal

3 years ago · c8b2fc46dc
parent 835c73c431
commit c8b2fc46dc
3 changed files with 11 additions and 2 deletions
--- a/src/languages.js
+++ b/src/languages.js
@ -13,7 +13,11 @@ const files = fs.readdirSync(path.join(paths.nodeModules, '/timeago/locales'));
 Languages.timeagoCodes = files.filter(f => f.startsWith('jquery.timeago')).map(f => f.split('.')[2]);
 Languages.get = async function (language, namespace) {
-	const data = await fs.promises.readFile(path.join(languagesPath, language, `${namespace}.json`), 'utf8');
+	const pathToLanguageFile = path.join(languagesPath, language, `${namespace}.json`);
 	if (!pathToLanguageFile.startsWith(languagesPath)) {
 		throw new Error('[[error:invalid-path]]');
 	}
 	const data = await fs.promises.readFile(pathToLanguageFile, 'utf8');
 	const parsed = JSON.parse(data) || {};
 	const result = await plugins.hooks.fire('filter:languages.get', {
 		language,
--- a/test/posts.js
+++ b/test/posts.js
@ -1,7 +1,7 @@
 'use strict';
-const	assert = require('assert');
+const assert = require('assert');
 const async = require('async');
 const request = require('request');
 const nconf = require('nconf');
--- a/test/translator.js
+++ b/test/translator.js
@ -35,6 +35,11 @@ describe('Translator shim', () => {
 			const translated = await shim.translate('', 'en-GB');
 			assert.strictEqual(translated, '');
 		});
 		it('should not allow path traversal', async () => {
 			const t = await shim.translate('[[../../../../config:secret]]');
 			assert.strictEqual(t, 'secret');
 		});
 	});
 });