unlinkFile: Fix so it decodes the uri path. Also add some safety checks
Some checks failed
continuous-integration/appveyor/branch AppVeyor build failed

This commit is contained in:
Jonatan Nilsson 2022-08-16 08:30:27 +00:00
parent f1be7e0d79
commit b931dfb784
2 changed files with 10 additions and 3 deletions

View file

@ -199,9 +199,16 @@ export default class MediaRoutes {
this.filesCacheRemove(site, ctx.params.filename) this.filesCacheRemove(site, ctx.params.filename)
await this.fs.unlink(`${config.get('uploadFolder')}/${site}/${ctx.params.filename}`) let root = `${config.get('uploadFolder')}/${site}`
var unlinkPath = path.join(root, decodeURIComponent(ctx.params.filename))
if (unlinkPath.indexOf(root) !== 0) {
throw new HttpError(403, `Error removing ${unlinkPath}: Traversing folder is not allowed`)
}
await this.fs.unlink(unlinkPath)
.catch(function(err) { .catch(function(err) {
throw new HttpError(422, `Error removing ${site}/${ctx.params.filename}: ${err.message}`) throw new HttpError(422, `Error removing ${unlinkPath}: ${err.message}`)
}) })
ctx.status = 204 ctx.status = 204

View file

@ -1,6 +1,6 @@
{ {
"name": "storage-upload", "name": "storage-upload",
"version": "2.2.5", "version": "2.2.6",
"description": "Micro service for uploading and image resizing files to a storage server.", "description": "Micro service for uploading and image resizing files to a storage server.",
"main": "index.js", "main": "index.js",
"scripts": { "scripts": {