SYNC: security fixes

packages/api/src/utility/security.js

@@ -0,0 +1,52 @@
+const path = require('path');
+const { filesdir, archivedir, uploadsdir, appdir } = require('../utility/directories');
+
+function checkSecureFilePaths(...filePaths) {
+  for (const filePath of filePaths) {
+    if (filePath.includes('..') || filePath.includes('/') || filePath.includes('\\')) {
+      return false;
+    }
+  }
+  return true;
+}
+
+function checkSecureDirectories(...filePaths) {
+  for (const filePath of filePaths) {
+    if (!filePath.includes('/') && !filePath.includes('\\')) {
+      // If the filePath does not contain any directory separators, it is considered secure
+      continue;
+    }
+    const directory = path.dirname(filePath);
+    if (directory != filesdir() && directory != uploadsdir() && directory != archivedir() && directory != appdir()) {
+      return false;
+    }
+  }
+  return true;
+}
+
+function findDisallowedFileNames(node, isAllowed, trace = '$', out = []) {
+  if (node && typeof node === 'object') {
+    if (node?.props?.fileName) {
+      const name = node.props.fileName;
+      const ok = isAllowed(name);
+      if (!ok) out.push({ path: `${trace}.props.fileName`, value: name });
+    }
+
+    // depth-first scan of every property / array index
+    for (const [key, val] of Object.entries(node)) {
+      findDisallowedFileNames(val, isAllowed, `${trace}.${key}`, out);
+    }
+  }
+  return out;
+}
+
+function checkSecureDirectoriesInScript(script) {
+  const disallowed = findDisallowedFileNames(script, checkSecureDirectories);
+  return disallowed.length == 0;
+}
+
+module.exports = {
+  checkSecureDirectories,
+  checkSecureFilePaths,
+  checkSecureDirectoriesInScript,
+};