From 8c15ab4c84aba0c2c85896d26ce451cee24201b2 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Sun, 1 May 2022 22:26:55 +0100 Subject: [PATCH] :closed_lock_with_key: Adds local path checking --- services/save-config.js | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/services/save-config.js b/services/save-config.js index 57b6766f..c73cecba 100644 --- a/services/save-config.js +++ b/services/save-config.js @@ -7,6 +7,14 @@ const fsPromises = require('fs').promises; module.exports = async (newConfig, render) => { + /* Either returns nothing (if using default path), or strips navigational characters from path */ + const makeSafeFileName = (configObj) => { + if (!configObj || !configObj.filename) return undefined; + return configObj.filename.replaceAll('/', '').replaceAll('..', ''); + }; + + const usersFileName = makeSafeFileName(newConfig); + // Define constants for the config file const settings = { defaultLocation: './public/', @@ -16,11 +24,11 @@ module.exports = async (newConfig, render) => { }; // Make the full file name and path to save the backup config file - const backupFilePath = `${settings.defaultLocation}${newConfig.filename || settings.filename}-` + const backupFilePath = `${settings.defaultLocation}${usersFileName || settings.filename}-` + `${Math.round(new Date() / 1000)}${settings.backupDenominator}`; // The path where the main conf.yml should be read and saved to - const defaultFilePath = settings.defaultLocation + (newConfig.filename || settings.defaultFile); + const defaultFilePath = settings.defaultLocation + (usersFileName || settings.defaultFile); // Returns a string confirming successful job const getSuccessMessage = () => `Successfully backed up ${settings.defaultFile} to`