Update dependencies and fix local server directory traversal

kris7t · SpecialAro · commit 03b87704f6a1 · 2022-07-10T23:03:28.000+01:00
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-16.15.0
+16.15.1
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -49,8 +49,8 @@ Currently, these are the combinations of system dependencies that work for MacOS
 ```bash
 $ jq --null-input '[inputs.engines] | add' < ./package.json < ./recipes/package.json
 {
-  "node": "16.15.0",
-  "npm": "8.7.0",
+  "node": "16.15.1",
+  "npm": "8.13.2",
   "pnpm": "7.0.1"
 }
 ```
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:16.15.0-alpine as build
+FROM node:16.15.1-alpine as build
 
 WORKDIR /server-build
 
@@ -11,7 +11,7 @@ RUN NPM_VERSION=$(node -p 'require("./package.json").engines.npm'); npm i -g npm
 RUN npm ci --build-from-source --sqlite=/usr/local
 
 # ---- RUNTIME IMAGE ----------------------------------------------------------
-FROM node:16.15.0-alpine
+FROM node:16.15.1-alpine
 
 WORKDIR /app
 LABEL maintainer="ferdium"
diff --git a/app/Controllers/Http/ServiceController.js b/app/Controllers/Http/ServiceController.js
@@ -6,6 +6,7 @@ const Helpers = use('Helpers');
 const { v4: uuid } = require('uuid');
 const path = require('path');
 const fs = require('fs-extra');
+const sanitize = require('sanitize-filename');
 
 class ServiceController {
   // Create a new service for user
@@ -231,10 +232,21 @@ class ServiceController {
   }
 
   async icon({ params, response }) {
-    const { id } = params;
+    let { id } = params;
+
+    id = sanitize(id);
+    if (id === '') {
+      return response.status(404).send({
+        status: "Icon doesn't exist",
+      });
+    }
 
     const iconPath = path.join(Helpers.tmpPath('uploads'), id);
-    if (!(await fs.exists(iconPath))) {
+
+    try {
+      await fs.access(iconPath);
+    } catch {
+      // File not available.
       return response.status(404).send({
         status: "Icon doesn't exist",
       });
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -5,8 +5,8 @@
   "description": "Ferdium server to replace the default Franz/Ferdi server.",
   "main": "index.js",
   "engines": {
-    "node": "16.15.0",
-    "npm": "8.7.0"
+    "node": "16.15.1",
+    "npm": "8.13.2"
   },
   "scripts": {
     "prepare": "is-ci || husky install",
@@ -45,6 +45,7 @@
     "mysql": "2.18.1",
     "node-fetch": "^2.6.7",
     "pg": "^8.0.3",
+    "sanitize-filename": "1.6.3",
     "semver": "7.3.5",
     "sqlite3": "^4.1.0",
     "targz": "^1.0.1",

Original file line number	Diff line number	Diff line change
`@@ -49,8 +49,8 @@ Currently, these are the combinations of system dependencies that work for MacOS`
`49`	`49`	```bash
`50`	`50`	`$ jq --null-input '[inputs.engines] \| add' < ./package.json < ./recipes/package.json`
`51`	`51`	`{`
`52`		`- "node": "16.15.0",`
`53`		`- "npm": "8.7.0",`
	`52`	`+ "node": "16.15.1",`
	`53`	`+ "npm": "8.13.2",`
`54`	`54`	`"pnpm": "7.0.1"`
`55`	`55`	`}`
`56`	`56`	```