dennii/dbgate
1
0
Fork 0
mirror of https://github.com/DeNNiiInc/dbgate.git synced 2026-04-23 11:36:01 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
63665e6e9ccaf43391709698881b9eaf3fde9dbd
dbgate/packages/api/src/utility/security.js
SPRINX0\prochazka 70801d958e SYNC: security rename
2025-06-12 11:51:22 +00:00

53 lines
1.6 KiB
JavaScript
Raw Blame History

const path = require('path');
const { filesdir, archivedir, uploadsdir, appdir } = require('../utility/directories');
function checkSecureFilePathsWithoutDirectory(...filePaths) {
for (const filePath of filePaths) {
if (filePath.includes('..') || filePath.includes('/') || filePath.includes('\\')) {
return false;
}
}
return true;
}
function checkSecureDirectories(...filePaths) {
for (const filePath of filePaths) {
if (!filePath.includes('/') && !filePath.includes('\\')) {
// If the filePath does not contain any directory separators, it is considered secure
continue;
}
const directory = path.dirname(filePath);
if (directory != filesdir() && directory != uploadsdir() && directory != archivedir() && directory != appdir()) {
return false;
}
}
return true;
}
function findDisallowedFileNames(node, isAllowed, trace = '$', out = []) {
if (node && typeof node === 'object') {
if (node?.props?.fileName) {
const name = node.props.fileName;
const ok = isAllowed(name);
if (!ok) out.push({ path: `${trace}.props.fileName`, value: name });
}
// depth-first scan of every property / array index
for (const [key, val] of Object.entries(node)) {
findDisallowedFileNames(val, isAllowed, `${trace}.${key}`, out);
}
}
return out;
}
function checkSecureDirectoriesInScript(script) {
const disallowed = findDisallowedFileNames(script, checkSecureDirectories);
return disallowed.length == 0;
}
module.exports = {
checkSecureDirectories,
checkSecureFilePathsWithoutDirectory,
checkSecureDirectoriesInScript,
};
Reference in New Issue View Git Blame Copy Permalink