Update dependencies and fix local server directory traversal

kris7t · SpecialAro · commit aabf1f2a01ef · 2022-07-10T22:47:27.000+01:00
diff --git a/app/Controllers/Http/ServiceController.js b/app/Controllers/Http/ServiceController.js
@@ -6,6 +6,7 @@ const Helpers = use('Helpers');
 const { v4: uuid } = require('uuid');
 const path = require('path');
 const fs = require('fs-extra');
+const sanitize = require('sanitize-filename');
 
 class ServiceController {
   // Create a new service for user
@@ -231,10 +232,21 @@ class ServiceController {
   }
 
   async icon({ params, response }) {
-    const { id } = params;
+    let { id } = params;
+
+    id = sanitize(id);
+    if (id === '') {
+      return response.status(404).send({
+        status: "Icon doesn't exist",
+      });
+    }
 
     const iconPath = path.join(Helpers.tmpPath('uploads'), id);
-    if (!(await fs.exists(iconPath))) {
+
+    try {
+      await fs.access(iconPath);
+    } catch {
+      // File not available.
       return response.status(404).send({
         status: "Icon doesn't exist",
       });
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -5,8 +5,8 @@
   "description": "Ferdium server to replace the default Franz/Ferdi server.",
   "main": "index.js",
   "engines": {
-    "node": "16.15.0",
-    "npm": "8.7.0"
+    "node": "16.15.1",
+    "npm": "8.13.2"
   },
   "scripts": {
     "prepare": "is-ci || husky install",
@@ -45,6 +45,7 @@
     "mysql": "2.18.1",
     "node-fetch": "^2.6.7",
     "pg": "^8.0.3",
+    "sanitize-filename": "1.6.3",
     "semver": "7.3.5",
     "sqlite3": "^4.1.0",
     "targz": "^1.0.1",
