From 084dcd69d1591586ee4752101e675d5f0ac6dcdc Mon Sep 17 00:00:00 2001 From: NGPixel Date: Sat, 3 Oct 2020 01:44:57 -0400 Subject: [PATCH] fix: strip directory traversal sequences from asset paths --- server/helpers/page.js | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/server/helpers/page.js b/server/helpers/page.js index 5b3079a8..e2e03648 100644 --- a/server/helpers/page.js +++ b/server/helpers/page.js @@ -5,6 +5,8 @@ const path = require('path') const localeSegmentRegex = /^[A-Z]{2}(-[A-Z]{2})?$/i const localeFolderRegex = /^([a-z]{2}(?:-[a-z]{2})?\/)?(.*)/i +// eslint-disable-next-line no-control-regex +const unsafeCharsRegex = /[\x00-\x1f\x80-\x9f\\"|<>:*?]/ const contentToExt = { markdown: 'md', @@ -30,10 +32,14 @@ module.exports = { // Clean Path rawPath = _.trim(qs.unescape(rawPath)) if (_.startsWith(rawPath, '/')) { rawPath = rawPath.substring(1) } + rawPath = rawPath.replace(unsafeCharsRegex, '') if (rawPath === '') { rawPath = 'home' } // Extract Info - let pathParts = _.filter(_.split(rawPath, '/'), p => !_.isEmpty(p)) + let pathParts = _.filter(_.split(rawPath, '/'), p => { + p = _.trim(p) + return !_.isEmpty(p) && p !== '..' && p !== '.' + }) if (pathParts[0].length === 1) { pathParts.shift() } @@ -73,7 +79,7 @@ module.exports = { ['date', page.updatedAt], ['tags', page.tags ? page.tags.map(t => t.tag).join(', ') : ''], ['editor', page.editorKey], - ['dateCreated', page.createdAt], + ['dateCreated', page.createdAt] ] switch (page.contentType) { case 'markdown':