dennii/dbgate
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/dbgate.git synced 2026-04-26 02:55:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: prevent file traversal in uploads

Browse Source
This commit is contained in:
SPRINX0\prochazka
2025-06-12 10:43:27 +02:00
parent c34f2d4da7
commit 18b11df672
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
packages/api/src/controllers/uploads.js
View File

@@ -44,6 +44,10 @@ module.exports = {
raw: true, raw: true,
}, },
get(req, res) { get(req, res) {
if (req.query.file.includes('..') || req.query.file.includes('/') || req.query.file.includes('\\')) {
res.status(400).send('Invalid file path');
return;
}
res.sendFile(path.join(uploadsdir(), req.query.file)); res.sendFile(path.join(uploadsdir(), req.query.file));
}, },