security improvement check upload path

frangoteam · May 10, 2022 · 3a30588 · 3a30588
1 parent 789d806
commit 3a30588
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 4 deletions.
diff --git a/client/package.json b/client/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fuxa",
-  "version": "1.1.6-687",
+  "version": "1.1.6-688",
   "keywords": [],
   "author": "frangoteam <4frango@gmail.com>",
   "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software",

diff --git a/server/api/projects/index.js b/server/api/projects/index.js
@@ -196,13 +196,14 @@ module.exports = {
                 let encoding = {};
                 // let basedata = file.data.replace(/^data:.*,/, '');
                 // let basedata = file.data.replace(/^data:image\/png;base64,/, "");
-                const filePath = path.join(runtime.settings.uploadFileDir, file.name);
+                let fileName = file.name.replace(new RegExp('../', 'g'), '');
+                const filePath = path.join(runtime.settings.uploadFileDir, fileName);
                 if (file.type !== 'svg') {
                     basedata = file.data.replace(/^data:.*,/, '');
                     encoding = {encoding: 'base64'};
                 }
                 fs.writeFileSync(filePath, basedata, encoding);
-                let result = {'location': '/' + runtime.settings.httpUploadFileStatic + '/' +file.name };
+                let result = {'location': '/' + runtime.settings.httpUploadFileStatic + '/' + fileName };
                 res.json(result);
             } catch (err) {
                 if (err && err.code) {

diff --git a/server/package.json b/server/package.json
@@ -1,6 +1,6 @@
 {
   "name": "fuxa-server",
-  "version": "1.1.6-687",
+  "version": "1.1.6-688",
   "description": "Web-based Process Visualization (SCADA/HMI/Dashboard) software",
   "main": "main.js",
   "scripts": {