From b931dfb784b6168431544b34796d7110f525a333 Mon Sep 17 00:00:00 2001
From: Jonatan Nilsson <jonatan@nilsson.is>
Date: Tue, 16 Aug 2022 08:30:27 +0000
Subject: [PATCH] unlinkFile: Fix so it decodes the uri path. Also add some
 safety checks

---
 api/media/routes.mjs | 11 +++++++++--
 package.json         |  2 +-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/api/media/routes.mjs b/api/media/routes.mjs
index 950048d..b782c6c 100644
--- a/api/media/routes.mjs
+++ b/api/media/routes.mjs
@@ -199,9 +199,16 @@ export default class MediaRoutes {
 
     this.filesCacheRemove(site, ctx.params.filename)
 
-    await this.fs.unlink(`${config.get('uploadFolder')}/${site}/${ctx.params.filename}`)
+    let root = `${config.get('uploadFolder')}/${site}`
+    var unlinkPath = path.join(root, decodeURIComponent(ctx.params.filename))
+
+    if (unlinkPath.indexOf(root) !== 0) {
+      throw new HttpError(403, `Error removing ${unlinkPath}: Traversing folder is not allowed`)
+    }
+
+    await this.fs.unlink(unlinkPath)
       .catch(function(err) {
-        throw new HttpError(422, `Error removing ${site}/${ctx.params.filename}: ${err.message}`)
+        throw new HttpError(422, `Error removing ${unlinkPath}: ${err.message}`)
       })
 
     ctx.status = 204
diff --git a/package.json b/package.json
index c71f746..d84880e 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "storage-upload",
-  "version": "2.2.5",
+  "version": "2.2.6",
   "description": "Micro service for uploading and image resizing files to a storage server.",
   "main": "index.js",
   "scripts": {