From af272ce3583268ebef179dde42c0567066c7241e Mon Sep 17 00:00:00 2001 From: syuilo Date: Sun, 5 Feb 2023 14:25:37 +0900 Subject: [PATCH] fix(server): validate filename and emoji name to improve security https://github.com/misskey-dev/misskey/commit/0d7256678e390af9e7576571b3fd262e265fbe18 Co-authored-by: Johann150 Changelog: Fixed --- .../backend/src/queue/processors/db/export-custom-emojis.ts | 4 ++++ .../backend/src/queue/processors/db/import-custom-emojis.ts | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/packages/backend/src/queue/processors/db/export-custom-emojis.ts b/packages/backend/src/queue/processors/db/export-custom-emojis.ts index c7e2e825d..f31531db4 100644 --- a/packages/backend/src/queue/processors/db/export-custom-emojis.ts +++ b/packages/backend/src/queue/processors/db/export-custom-emojis.ts @@ -58,6 +58,10 @@ export async function exportCustomEmojis(job: Bull.Job, done: () => void): Promi }); for (const emoji of customEmojis) { + if (!/^[a-zA-Z0-9_]+$/.test(emoji.name)) { + this.logger.error(`invalid emoji name: ${emoji.name}, skipping in emoji export`); + continue; + } const ext = mime.extension(emoji.type); const fileName = emoji.name + (ext ? '.' + ext : ''); const emojiPath = path + '/' + fileName; diff --git a/packages/backend/src/queue/processors/db/import-custom-emojis.ts b/packages/backend/src/queue/processors/db/import-custom-emojis.ts index 1d06d5ff8..855017460 100644 --- a/packages/backend/src/queue/processors/db/import-custom-emojis.ts +++ b/packages/backend/src/queue/processors/db/import-custom-emojis.ts @@ -50,6 +50,10 @@ export async function importCustomEmojis(job: Bull.Job, don for (const record of meta.emojis) { if (!record.downloaded) continue; + if (!/^[a-zA-Z0-9_]+?([a-zA-Z0-9\.]+)?$/.test(record.fileName)) { + this.logger.error(`invalid filename: ${record.fileName}, skipping in emoji import`); + continue; + } const emojiInfo = record.emoji; const emojiPath = outputPath + '/' + record.fileName; await Emojis.delete({