unlinkFile: Fix so it decodes the uri path. Also add some safety checks

api/media/routes.mjs

@@ -199,9 +199,16 @@ export default class MediaRoutes {
 
     this.filesCacheRemove(site, ctx.params.filename)
 
-    await this.fs.unlink(`${config.get('uploadFolder')}/${site}/${ctx.params.filename}`)
+    let root = `${config.get('uploadFolder')}/${site}`
+    var unlinkPath = path.join(root, decodeURIComponent(ctx.params.filename))
+
+    if (unlinkPath.indexOf(root) !== 0) {
+      throw new HttpError(403, `Error removing ${unlinkPath}: Traversing folder is not allowed`)
+    }
+
+    await this.fs.unlink(unlinkPath)
       .catch(function(err) {
-        throw new HttpError(422, `Error removing ${site}/${ctx.params.filename}: ${err.message}`)
+        throw new HttpError(422, `Error removing ${unlinkPath}: ${err.message}`)
       })
 
     ctx.status = 204

package.json

@@ -1,6 +1,6 @@
 {
   "name": "storage-upload",
-  "version": "2.2.5",
+  "version": "2.2.6",
   "description": "Micro service for uploading and image resizing files to a storage server.",
   "main": "index.js",
   "scripts": {