forked from FoundKeyGang/FoundKey
fix(server): validate filename and emoji name to improve security
0d7256678e
Co-authored-by: Johann150 <johann.galle@protonmail.com>
Changelog: Fixed
This commit is contained in:
parent
c1ae134c0a
commit
af272ce358
2 changed files with 8 additions and 0 deletions
|
@ -58,6 +58,10 @@ export async function exportCustomEmojis(job: Bull.Job, done: () => void): Promi
|
|||
});
|
||||
|
||||
for (const emoji of customEmojis) {
|
||||
if (!/^[a-zA-Z0-9_]+$/.test(emoji.name)) {
|
||||
this.logger.error(`invalid emoji name: ${emoji.name}, skipping in emoji export`);
|
||||
continue;
|
||||
}
|
||||
const ext = mime.extension(emoji.type);
|
||||
const fileName = emoji.name + (ext ? '.' + ext : '');
|
||||
const emojiPath = path + '/' + fileName;
|
||||
|
|
|
@ -50,6 +50,10 @@ export async function importCustomEmojis(job: Bull.Job<DbUserImportJobData>, don
|
|||
|
||||
for (const record of meta.emojis) {
|
||||
if (!record.downloaded) continue;
|
||||
if (!/^[a-zA-Z0-9_]+?([a-zA-Z0-9\.]+)?$/.test(record.fileName)) {
|
||||
this.logger.error(`invalid filename: ${record.fileName}, skipping in emoji import`);
|
||||
continue;
|
||||
}
|
||||
const emojiInfo = record.emoji;
|
||||
const emojiPath = outputPath + '/' + record.fileName;
|
||||
await Emojis.delete({
|
||||
|
|
Loading…
Reference in a new issue