Skip to content

Commit

Permalink
fix: Path Traversal Vulnerability
Browse files Browse the repository at this point in the history
  • Loading branch information
@rflihxyz
rflihxyz committed Nov 6, 2024
1 parent 5888e8f commit ea55758
Showing 1 changed file with 11 additions and 4 deletions.
15 changes: 11 additions & 4 deletions packages/api/src/@core/connections/@utils/base.service.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,10 +76,17 @@ export abstract class BaseConnectionService {
};
const formData = new FormData();
for (const obj of data as MultipartData[]) {
formData.append(
obj.name,
obj.file_name ? fs.createReadStream(obj.file_name) : obj.data,
);
// Sanitize and validate the file path
if (obj.file_name) {
const sanitizedPath = path.normalize(obj.file_name).replace(/^(\.\.(\/|\\|$))+/, '');
// Optionally add additional path validation
if (!fs.existsSync(sanitizedPath)) {
throw new Error(`File not found: ${sanitizedPath}`);
}
formData.append(obj.name, fs.createReadStream(sanitizedPath));
} else {
formData.append(obj.name, obj.data);
}
}
DATA = formData;
break;
Expand Down

0 comments on commit ea55758

Please sign in to comment.