dennii/dbgate
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/dbgate.git synced 2026-04-19 20:06:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

SYNC: security rename

Browse Source
This commit is contained in:
SPRINX0\prochazka
2025-06-12 13:50:52 +02:00
committed by Diflow
parent cf3f95c952
commit 70801d958e
2 changed files with 8 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
packages/api/src/controllers/files.js
View File

@@ -12,7 +12,7 @@ const getMapExport = require('../utility/getMapExport');
const dbgateApi = require('../shell');
const { getLogger } = require('dbgate-tools');
const platformInfo = require('../utility/platformInfo');
const { checkSecureFilePaths, checkSecureDirectories } = require('../utility/security');
const { checkSecureFilePathsWithoutDirectory, checkSecureDirectories } = require('../utility/security');
const logger = getLogger('files');
function serialize(format, data) {
@@ -53,7 +53,7 @@ module.exports = {
delete_meta: true,
async delete({ folder, file }, req) {
if (!hasPermission(`files/${folder}/write`, req)) return false;
if (!checkSecureFilePaths(folder, file)) {
if (!checkSecureFilePathsWithoutDirectory(folder, file)) {
return false;
}
await fs.unlink(path.join(filesdir(), folder, file));
@@ -65,7 +65,7 @@ module.exports = {
rename_meta: true,
async rename({ folder, file, newFile }, req) {
if (!hasPermission(`files/${folder}/write`, req)) return false;
if (!checkSecureFilePaths(folder, file, newFile)) {
if (!checkSecureFilePathsWithoutDirectory(folder, file, newFile)) {
return false;
}
await fs.rename(path.join(filesdir(), folder, file), path.join(filesdir(), folder, newFile));
@@ -85,7 +85,7 @@ module.exports = {
copy_meta: true,
async copy({ folder, file, newFile }, req) {
if (!checkSecureFilePaths(folder, file, newFile)) {
if (!checkSecureFilePathsWithoutDirectory(folder, file, newFile)) {
return false;
}
if (!hasPermission(`files/${folder}/write`, req)) return false;
@@ -97,7 +97,7 @@ module.exports = {
load_meta: true,
async load({ folder, file, format }, req) {
if (!checkSecureFilePaths(folder, file)) {
if (!checkSecureFilePathsWithoutDirectory(folder, file)) {
return false;
}
@@ -130,7 +130,7 @@ module.exports = {
save_meta: true,
async save({ folder, file, data, format }, req) {
if (!checkSecureFilePaths(folder, file)) {
if (!checkSecureFilePathsWithoutDirectory(folder, file)) {
return false;
}

4
packages/api/src/utility/security.js
View File

@@ -1,7 +1,7 @@
const path = require('path');
const { filesdir, archivedir, uploadsdir, appdir } = require('../utility/directories');
function checkSecureFilePaths(...filePaths) {
function checkSecureFilePathsWithoutDirectory(...filePaths) {
for (const filePath of filePaths) {
if (filePath.includes('..') || filePath.includes('/') || filePath.includes('\\')) {
return false;
@@ -47,6 +47,6 @@ function checkSecureDirectoriesInScript(script) {
module.exports = {
checkSecureDirectories,
checkSecureFilePaths,
checkSecureFilePathsWithoutDirectory,
checkSecureDirectoriesInScript,
};