dennii/dbgate
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/dbgate.git synced 2026-04-24 21:05:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

SYNC: security fixes

Browse Source
This commit is contained in:
SPRINX0\prochazka
2025-06-12 13:49:23 +02:00
committed by Diflow
parent 3f37b2b728
commit cf3f95c952
4 changed files with 71 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
packages/api/src/controllers/files.js
View File

@@ -12,6 +12,7 @@ const getMapExport = require('../utility/getMapExport');
const dbgateApi = require('../shell');
const { getLogger } = require('dbgate-tools');
const platformInfo = require('../utility/platformInfo');
const { checkSecureFilePaths, checkSecureDirectories } = require('../utility/security');
const logger = getLogger('files');
function serialize(format, data) {
@@ -26,25 +27,6 @@ function deserialize(format, text) {
throw new Error(`Invalid format: ${format}`);
}
function checkSecureFilePaths(...filePaths) {
for (const filePath of filePaths) {
if (filePath.includes('..') || filePath.includes('/') || filePath.includes('\\')) {
return false;
}
}
return true;
}
function checkSecureDirectories(...filePaths) {
for (const filePath of filePaths) {
const directory = path.dirname(filePath);
if (directory != filesdir() && directory != uploadsdir() && directory != archivedir() && directory != appdir()) {
return false;
}
}
return true;
}
module.exports = {
list_meta: true,
async list({ folder }, req) {