From 3a3058821e939f06d9dffbff55483b3b167e80a4 Mon Sep 17 00:00:00 2001 From: unocelli Date: Tue, 10 May 2022 20:55:19 +0200 Subject: [PATCH] security improvement check upload path --- client/package.json | 2 +- server/api/projects/index.js | 5 +++-- server/package.json | 2 +- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/client/package.json b/client/package.json index 29b7c73e8..6bcbc3abc 100644 --- a/client/package.json +++ b/client/package.json @@ -1,6 +1,6 @@ { "name": "fuxa", - "version": "1.1.6-687", + "version": "1.1.6-688", "keywords": [], "author": "frangoteam <4frango@gmail.com>", "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software", diff --git a/server/api/projects/index.js b/server/api/projects/index.js index 29e98c265..2f514fe73 100644 --- a/server/api/projects/index.js +++ b/server/api/projects/index.js @@ -196,13 +196,14 @@ module.exports = { let encoding = {}; // let basedata = file.data.replace(/^data:.*,/, ''); // let basedata = file.data.replace(/^data:image\/png;base64,/, ""); - const filePath = path.join(runtime.settings.uploadFileDir, file.name); + let fileName = file.name.replace(new RegExp('../', 'g'), ''); + const filePath = path.join(runtime.settings.uploadFileDir, fileName); if (file.type !== 'svg') { basedata = file.data.replace(/^data:.*,/, ''); encoding = {encoding: 'base64'}; } fs.writeFileSync(filePath, basedata, encoding); - let result = {'location': '/' + runtime.settings.httpUploadFileStatic + '/' +file.name }; + let result = {'location': '/' + runtime.settings.httpUploadFileStatic + '/' + fileName }; res.json(result); } catch (err) { if (err && err.code) { diff --git a/server/package.json b/server/package.json index 1ecd818d2..38470b966 100644 --- a/server/package.json +++ b/server/package.json @@ -1,6 +1,6 @@ { "name": "fuxa-server", - "version": "1.1.6-687", + "version": "1.1.6-688", "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software", "main": "main.js", "scripts": {