Improve nested path detection across app

This commit is contained in:
Evan Hahn 2020-08-27 13:08:37 -05:00 committed by Josh Perez
parent 57d206a344
commit f8fc23a7a3
5 changed files with 169 additions and 12 deletions

View file

@ -10,6 +10,7 @@ const toArrayBuffer = require('to-arraybuffer');
const { map, isArrayBuffer, isString } = require('lodash');
const normalizePath = require('normalize-path');
const sanitizeFilename = require('sanitize-filename');
const { isPathInside } = require('../ts/util/isPathInside');
const getGuid = require('uuid/v4');
let xattr;
@ -26,6 +27,8 @@ const STICKER_PATH = 'stickers.noindex';
const TEMP_PATH = 'temp';
const DRAFT_PATH = 'drafts.noindex';
const getApp = () => app || remote.app;
exports.getAllAttachments = async userDataPath => {
const dir = exports.getPath(userDataPath);
const pattern = normalizePath(path.join(dir, '**', '*'));
@ -113,7 +116,7 @@ exports.createReader = root => {
const absolutePath = path.join(root, relativePath);
const normalized = path.normalize(absolutePath);
if (!normalized.startsWith(root)) {
if (!isPathInside(normalized, root)) {
throw new Error('Invalid relative path');
}
const buffer = await fse.readFile(normalized);
@ -133,7 +136,7 @@ exports.createDoesExist = root => {
const absolutePath = path.join(root, relativePath);
const normalized = path.normalize(absolutePath);
if (!normalized.startsWith(root)) {
if (!isPathInside(normalized, root)) {
throw new Error('Invalid relative path');
}
try {
@ -150,16 +153,24 @@ exports.copyIntoAttachmentsDirectory = root => {
throw new TypeError("'root' must be a path");
}
const userDataPath = getApp().getPath('userData');
return async sourcePath => {
if (!isString(sourcePath)) {
throw new TypeError('sourcePath must be a string');
}
if (!isPathInside(sourcePath, userDataPath)) {
throw new Error(
"'sourcePath' must be relative to the user config directory"
);
}
const name = exports.createName();
const relativePath = exports.getRelativePath(name);
const absolutePath = path.join(root, relativePath);
const normalized = path.normalize(absolutePath);
if (!normalized.startsWith(root)) {
if (!isPathInside(normalized, root)) {
throw new Error('Invalid relative path');
}
@ -170,7 +181,7 @@ exports.copyIntoAttachmentsDirectory = root => {
};
exports.writeToDownloads = async ({ data, name }) => {
const appToUse = app || remote.app;
const appToUse = getApp();
const downloadsPath =
appToUse.getPath('downloads') || appToUse.getPath('home');
const sanitized = sanitizeFilename(name);
@ -189,7 +200,7 @@ exports.writeToDownloads = async ({ data, name }) => {
const target = path.join(downloadsPath, candidateName);
const normalized = path.normalize(target);
if (!normalized.startsWith(downloadsPath)) {
if (!isPathInside(normalized, downloadsPath)) {
throw new Error('Invalid filename!');
}
@ -223,14 +234,14 @@ async function writeWithAttributes(target, data) {
exports.openFileInDownloads = async name => {
const shellToUse = shell || remote.shell;
const appToUse = app || remote.app;
const appToUse = getApp();
const downloadsPath =
appToUse.getPath('downloads') || appToUse.getPath('home');
const target = path.join(downloadsPath, name);
const normalized = path.normalize(target);
if (!normalized.startsWith(downloadsPath)) {
if (!isPathInside(normalized, downloadsPath)) {
throw new Error('Invalid filename!');
}
@ -310,7 +321,7 @@ exports.createWriterForExisting = root => {
const buffer = Buffer.from(arrayBuffer);
const absolutePath = path.join(root, relativePath);
const normalized = path.normalize(absolutePath);
if (!normalized.startsWith(root)) {
if (!isPathInside(normalized, root)) {
throw new Error('Invalid relative path');
}
@ -335,7 +346,7 @@ exports.createDeleter = root => {
const absolutePath = path.join(root, relativePath);
const normalized = path.normalize(absolutePath);
if (!normalized.startsWith(root)) {
if (!isPathInside(normalized, root)) {
throw new Error('Invalid relative path');
}
await fse.remove(absolutePath);
@ -402,7 +413,7 @@ exports.getRelativePath = name => {
exports.createAbsolutePathGetter = rootPath => relativePath => {
const absolutePath = path.join(rootPath, relativePath);
const normalized = path.normalize(absolutePath);
if (!normalized.startsWith(rootPath)) {
if (!isPathInside(normalized, rootPath)) {
throw new Error('Invalid relative path');
}
return normalized;