release: v1.4.0 (#49)

* release: v1.4.0

* fix code scanner issues

* fix: bundle file line endings

* fix: restrict publish workflow to read

* fix: enhance upload security with file validation and size limits

* refactor: replace custom rate limiter with express-rate-limit

---------

Co-authored-by: timothy-dynamsoft <[email protected]>

Author: dynamsoft-h

.github/workflows/publish.yml

@@ -1,4 +1,6 @@
 name: Publish Package
+permissions:
+  contents: read
 
 on:
   release:

README.md

@@ -1,11 +1,12 @@
-import formidable from "formidable";
+import cors from "cors";
 import express from "express";
+import rateLimit from "express-rate-limit";
+import formidable from "formidable";
 import fs from "fs";
 import http from "http";
 import https from "https";
-import cors from "cors";
-import path from "path";
 import os from "os";
+import path from "path";
 import { fileURLToPath } from "url";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -23,6 +24,15 @@ if (!fs.existsSync(distPath)) {
 
 const app = express();
 
+// Rate limiting
+const limiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 100, // Limit each IP to 100 requests per windowMs
+  message: "Too many requests from this IP, please try again later.",
+});
+
+app.use(limiter);
+
 app.use(
   cors({
     origin: (origin, callback) => {
@@ -36,6 +46,7 @@ app.use("/dist", express.static(distPath));
 app.use("/assets", express.static(path.join(__dirname, "../samples/demo/assets")));
 app.use("/css", express.static(path.join(__dirname, "../samples/demo/css")));
 app.use("/font", express.static(path.join(__dirname, "../samples/demo/font")));
+app.use("/samples", express.static(path.join(__dirname, "../samples")));
 
 // Routes
 app.get("/", (req, res) => {
@@ -50,8 +61,16 @@ app.get("/hello-world", (req, res) => {
   res.sendFile(path.join(__dirname, "../samples/hello-world.html"));
 });
 
-app.get("/scenarios/use-file-input", (req, res) => {
-  res.sendFile(path.join(__dirname, "../samples/scenarios/use-file-input.html"));
+app.get("/multi-page-scanning", (req, res) => {
+  res.sendFile(path.join(__dirname, "../samples/scenarios/multi-page-scanning.html"));
+});
+
+app.get("/scanning-to-pdf", (req, res) => {
+  res.sendFile(path.join(__dirname, "../samples/scenarios/scanning-to-pdf.html"));
+});
+
+app.get("/image-file-scanning", (req, res) => {
+  res.sendFile(path.join(__dirname, "../samples/scenarios/image-file-scanning.html"));
 });
 
 // Allow upload feature
@@ -61,6 +80,8 @@ app.post("/upload", function (req, res) {
     const form = formidable({
       multiples: false,
       keepExtensions: true,
+      maxFileSize: 25 * 1024 * 1024, // 25MB limit
+      maxFiles: 1,
     });
 
     form.parse(req, (err, fields, files) => {
@@ -74,12 +95,27 @@ app.post("/upload", function (req, res) {
         return res.status(400).json({ success: false, message: "No file uploaded" });
       }
 
-      // Get current timestamp
-      let dt = new Date();
+      // Sanitize filename to prevent path traversal
+      const newFileName = path.basename(uploadedFile.originalFilename);
+
+      // Validate file extension (whitelist for document scanner)
+      const allowedExtensions = ['.jpg', '.jpeg', '.png', '.pdf', '.bmp', '.tiff', '.tif'];
+      const fileExt = path.extname(newFileName).toLowerCase();
+      if (!allowedExtensions.includes(fileExt)) {
+        return res.status(400).json({ success: false, message: "File type not allowed. Allowed types: jpg, jpeg, png, pdf, bmp, tiff" });
+      }
+
+      // Sanitize filename to remove potentially dangerous characters
+      const sanitizedName = newFileName.replace(/[^a-zA-Z0-9._-]/g, '_');
+
+      const fileSavePath = __dirname;
+      const newFilePath = path.resolve(fileSavePath, sanitizedName);
 
-      const fileSavePath = path.join(__dirname, "\\");
-      const newFileName = uploadedFile.originalFilename;
-      const newFilePath = path.join(fileSavePath, newFileName);
+      // Verify path is within allowed directory (robust check using relative path)
+      const relativePath = path.relative(fileSavePath, newFilePath);
+      if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
+        return res.status(400).json({ success: false, message: "Invalid filename - path traversal detected" });
+      }
 
       // Move the uploaded file to the desired directory
       fs.rename(uploadedFile.filepath, newFilePath, (err) => {
@@ -88,11 +124,11 @@ app.post("/upload", function (req, res) {
           return res.status(500).send("Error saving the file.");
         }
         console.log(`\x1b[33m ${newFileName} \x1b[0m uploaded successfully!`);
-      });
-      res.status(200).json({
-        success: true,
-        message: `${newFileName} uploaded successfully`,
-        filename: newFileName,
+        res.status(200).json({
+          success: true,
+          message: `${newFileName} uploaded successfully`,
+          filename: newFileName,
+        });
       });
     });
   } catch (error) {
@@ -151,7 +187,7 @@ httpsServer.on("error", (error) => {
     console.log(`2. Close any other applications using port ${httpsPort}`);
     console.log(`3. Wait a few moments and try again - the port might be in a cleanup state\n`);
   } else {
-    console.error("\x1b[31mHTTP Server error:\x1b[0m", error);
+    console.error("\x1b[31mHTTPS Server error:\x1b[0m", error);
   }
   process.exit(1);
 });
@@ -161,8 +197,12 @@ httpServer.listen(httpPort, () => {
   console.log("\n\x1b[1m Dynamsoft Document Scanner Samples\x1b[0m\n");
   console.log("\x1b[36m HTTP URLs:\x1b[0m");
   console.log("\x1b[90m-------------------\x1b[0m");
-  console.log("\x1b[33m Hello World:\x1b[0m    http://localhost:" + httpPort + "/hello-world");
-  console.log("\x1b[33m Demo:\x1b[0m    http://localhost:" + httpPort + "/demo");
+  console.log("\x1b[1m\x1b[35m → Samples Index:\x1b[0m    \x1b[1mhttp://localhost:" + httpPort + "/samples\x1b[0m");
+  console.log("\x1b[33m   Hello World:\x1b[0m    http://localhost:" + httpPort + "/hello-world");
+  console.log("\x1b[33m   Scanning to PDF:\x1b[0m    http://localhost:" + httpPort + "/scanning-to-pdf");
+  console.log("\x1b[33m   Demo:\x1b[0m    http://localhost:" + httpPort + "/demo");
+  console.log("\x1b[33m   Multi-Page Scanning:\x1b[0m    http://localhost:" + httpPort + "/multi-page-scanning");
+  console.log("\x1b[33m   Image File Scanning:\x1b[0m    http://localhost:" + httpPort + "/image-file-scanning");
 });
 
 httpsServer.listen(httpsPort, "0.0.0.0", () => {
@@ -179,9 +219,15 @@ httpsServer.listen(httpsPort, "0.0.0.0", () => {
   console.log("\n");
   console.log("\x1b[36m HTTPS URLs:\x1b[0m");
   console.log("\x1b[90m-------------------\x1b[0m");
-  ipv4Addresses.forEach((localIP) => {
-    console.log("\x1b[32m Hello World:\x1b[0m  https://" + localIP + ":" + httpsPort + "/hello-world");
-    console.log("\x1b[32m Demo:\x1b[0m  https://" + localIP + ":" + httpsPort + "/demo");
+  ipv4Addresses.forEach((localIP, index) => {
+    if (index > 0) console.log(""); // Add spacing between different IPs
+    console.log("\x1b[32m----IP[" + index + "]: " + localIP + "----\x1b");
+    console.log("\x1b[1m\x1b[35m → Samples Index:\x1b[0m  \x1b[1mhttps://" + localIP + ":" + httpsPort + "/samples\x1b[0m");
+    console.log("\x1b[32m   Hello World:\x1b[0m  https://" + localIP + ":" + httpsPort + "/hello-world");
+    console.log("\x1b[32m   Scanning to PDF:\x1b[0m  https://" + localIP + ":" + httpsPort + "/scanning-to-pdf");
+    console.log("\x1b[32m   Demo:\x1b[0m  https://" + localIP + ":" + httpsPort + "/demo");
+    console.log("\x1b[32m   Multi-Page Scanning:\x1b[0m  https://" + localIP + ":" + httpsPort + "/multi-page-scanning");
+    console.log("\x1b[32m   Image File Scanning:\x1b[0m  https://" + localIP + ":" + httpsPort + "/image-file-scanning");
   });
   console.log("\n");
   console.log("\x1b[90mPress Ctrl+C to stop the server\x1b[0m\n");

dev-server/index.js

@@ -1,13 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIICDDCCAXUCFGlprxUW7YsQSmqXwS3fjySQwexCMA0GCSqGSIb3DQEBCwUAMEUx
-CzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRl
-cm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMjAwMTE3MDE0OTM0WhcNMjAwMjE2MDE0
-OTM0WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GN
-ADCBiQKBgQCt3L/syEyB8B9O8Xhf3/SJOfTsoSs+3+/ELvFd07QEP0mySRjh9hUL
-BjB1bWJXBshn9JBzlfGUjRtNkc54VF1JfjFgi7UzqqyAlAwfEMBbp8jUX1Hh9iU7
-ctTAHxcAicTWTkRmToXJBUhbgTH+eF/GfQTdnByrncprQfuqdPg2KwIDAQABMA0G
-CSqGSIb3DQEBCwUAA4GBAKRRbXBhTS95IimKoIZq3RtVrjXpcsBn5ncyvFULc6Y5
-OkOxum5TO++XHVOJyalqyWpAQuz6i348hxTW6wqt5Js0UPGLGIb4Kq965QKKT+yJ
-WnHOnzZzJxiTs/1uGFjPAKgdvuDhcx36YsvSQ/UnJvF0rttjLKOGI5SkFMgz1Ufz
+MIIBrjCCAVOgAwIBAgIUCp1iPS8I82nAYLY6urLJIebD6v0wCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNTEwMjAyMTMwMjFaFw0yNTExMTky
+MTMwMjFaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAAQSioVTYrJS1oJNQhaj5gr6M63uppPpaB5biwHIRkBBL4b/q/SDVDjR
+/YP2Ed8RrU2WrFyGsh5yhDJAZSWWUHAHoyEwHzAdBgNVHQ4EFgQUNrng2xZm0ouA
+NfGi8k96E6Mhb1IwCgYIKoZIzj0EAwIDSQAwRgIhALmnSAtb4UbcyFkWRZOlnkpk
+9QcukssrIyzFNElPM9jPAiEA9uJRNWFE/elq/P8cBB+Avx6bj3mDoww7DMZxiaeS
+fZQ=
 -----END CERTIFICATE-----

dev-server/pem/cert.pem

@@ -1,11 +1,8 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBhDCB7gIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEh
-MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB
-AQUAA4GNADCBiQKBgQCt3L/syEyB8B9O8Xhf3/SJOfTsoSs+3+/ELvFd07QEP0my
-SRjh9hULBjB1bWJXBshn9JBzlfGUjRtNkc54VF1JfjFgi7UzqqyAlAwfEMBbp8jU
-X1Hh9iU7ctTAHxcAicTWTkRmToXJBUhbgTH+eF/GfQTdnByrncprQfuqdPg2KwID
-AQABoAAwDQYJKoZIhvcNAQELBQADgYEAgwEY90gQQzxIonWEgDxGRBHxSk0h3UE4
-rTP3JggV6h0vXMndOrDXC2qrh20fJaWIHqbBtmfOF4NmPhQTSZOZ2fIjPBeHZqLq
-8+K9iZPeyjnVIRyWkXfCPacoddTw2FcykRobgL6Wi/RoldutOnIDlTawo5Y/eXvm
-JI0428mqYU4=
+MIIBADCBpwIBADBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEh
+MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFkwEwYHKoZIzj0CAQYI
+KoZIzj0DAQcDQgAEEoqFU2KyUtaCTUIWo+YK+jOt7qaT6WgeW4sByEZAQS+G/6v0
+g1Q40f2D9hHfEa1NlqxchrIecoQyQGUlllBwB6AAMAoGCCqGSM49BAMCA0gAMEUC
+IBUmLzT9IpVjQ4R5IYGakzwyXUjg2HI8E7jvfdcxpCFfAiEAnvHcm0pSnpIjESHc
+gfs4yMDzyJr0HJs1sH2MVr+X070=
 -----END CERTIFICATE REQUEST-----

dev-server/pem/csr.pem

@@ -1,15 +1,5 @@
------BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCt3L/syEyB8B9O8Xhf3/SJOfTsoSs+3+/ELvFd07QEP0mySRjh
-9hULBjB1bWJXBshn9JBzlfGUjRtNkc54VF1JfjFgi7UzqqyAlAwfEMBbp8jUX1Hh
-9iU7ctTAHxcAicTWTkRmToXJBUhbgTH+eF/GfQTdnByrncprQfuqdPg2KwIDAQAB
-AoGAO6O6zm2TGQuWoczhPvoi9yPDaZyLqiDFLaXws//YA5D2Jcs/VtvEMijoXI+u
-KS4xdr+FAbFQ0mVpFT3L9qjx6p/lSVKzJ1tlVlp7klJzK0VOWmMojLrhsstp44ah
-jZQdxcnlEDgeBwXj5m09fr7YFfIiyHef+r9ORqn00F7K+xkCQQDhy5k00dsfL5MY
-oy70Ikb70n90qktnFXrgsgEeojG0j0OmJUdNLV6gXbkD4lEeh6iK5XdAEuso+Qw1
-5Ksa3d11AkEAxR6yMXPIbl+4y24TbIGAZwb44Lyn9DAnLm5qgFvMgJARz+kqlYyr
-tpZ6cD1JY3fuF+umDlNPYzxGxy3kz/sxHwJBAJNiLDzYBmmSyjc4vPtKLH9PZTan
-udQtpylnx2dRg5RSN1wJ1ULBLJUM2Cl63mxJLHCNW4uNTcZO2fOLsUw2KckCQBFp
-dboSjSjawbsOfR6/jbUME53ebEOQoVVjoXq3IShWEYy4/u743w4g2q3hbAMiS+DH
-CwMG7uNIJsRfVG/es2cCQD7R6ebztt858vYZzfLMLMsJTF2YQs1YG91x76lZLhNp
-tcTTENHD4g9v/Q5MV+fhN0UuJ2ikrXULAgDmJMvAVyk=
------END RSA PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEILIGf02Od9J9c/16X11u7XOplP0lBfoLwmlf0QOnF1jroAoGCCqGSM49
+AwEHoUQDQgAEEoqFU2KyUtaCTUIWo+YK+jOt7qaT6WgeW4sByEZAQS+G/6v0g1Q4
+0f2D9hHfEa1NlqxchrIecoQyQGUlllBwBw==
+-----END EC PRIVATE KEY-----