Improve nested path detection across app
This commit is contained in:
Evan Hahn
Josh Perez
parent
57d206a344
commit
f8fc23a7a3
5 changed files with 169 additions and 12 deletions
|
|
@ -10,6 +10,7 @@ const toArrayBuffer = require('to-arraybuffer');
|
|||
const { map, isArrayBuffer, isString } = require('lodash');
|
||||
const normalizePath = require('normalize-path');
|
||||
const sanitizeFilename = require('sanitize-filename');
|
||||
const { isPathInside } = require('../ts/util/isPathInside');
|
||||
const getGuid = require('uuid/v4');
|
||||
|
||||
let xattr;
|
||||
|
|
@ -26,6 +27,8 @@ const STICKER_PATH = 'stickers.noindex';
|
|||
const TEMP_PATH = 'temp';
|
||||
const DRAFT_PATH = 'drafts.noindex';
|
||||
|
||||
const getApp = () => app || remote.app;
|
||||
|
||||
exports.getAllAttachments = async userDataPath => {
|
||||
const dir = exports.getPath(userDataPath);
|
||||
const pattern = normalizePath(path.join(dir, '**', '*'));
|
||||
|
|
@ -113,7 +116,7 @@ exports.createReader = root => {
|
|||
|
||||
const absolutePath = path.join(root, relativePath);
|
||||
const normalized = path.normalize(absolutePath);
|
||||
if (!normalized.startsWith(root)) {
|
||||
if (!isPathInside(normalized, root)) {
|
||||
throw new Error('Invalid relative path');
|
||||
}
|
||||
const buffer = await fse.readFile(normalized);
|
||||
|
|
@ -133,7 +136,7 @@ exports.createDoesExist = root => {
|
|||
|
||||
const absolutePath = path.join(root, relativePath);
|
||||
const normalized = path.normalize(absolutePath);
|
||||
if (!normalized.startsWith(root)) {
|
||||
if (!isPathInside(normalized, root)) {
|
||||
throw new Error('Invalid relative path');
|
||||
}
|
||||
try {
|
||||
|
|
@ -150,16 +153,24 @@ exports.copyIntoAttachmentsDirectory = root => {
|
|||
throw new TypeError("'root' must be a path");
|
||||
}
|
||||
|
||||
const userDataPath = getApp().getPath('userData');
|
||||
|
||||
return async sourcePath => {
|
||||
if (!isString(sourcePath)) {
|
||||
throw new TypeError('sourcePath must be a string');
|
||||
}
|
||||
|
||||
if (!isPathInside(sourcePath, userDataPath)) {
|
||||
throw new Error(
|
||||
"'sourcePath' must be relative to the user config directory"
|
||||
);
|
||||
}
|
||||
|
||||
const name = exports.createName();
|
||||
const relativePath = exports.getRelativePath(name);
|
||||
const absolutePath = path.join(root, relativePath);
|
||||
const normalized = path.normalize(absolutePath);
|
||||
if (!normalized.startsWith(root)) {
|
||||
if (!isPathInside(normalized, root)) {
|
||||
throw new Error('Invalid relative path');
|
||||
}
|
||||
|
||||
|
|
@ -170,7 +181,7 @@ exports.copyIntoAttachmentsDirectory = root => {
|
|||
};
|
||||
|
||||
exports.writeToDownloads = async ({ data, name }) => {
|
||||
const appToUse = app || remote.app;
|
||||
const appToUse = getApp();
|
||||
const downloadsPath =
|
||||
appToUse.getPath('downloads') || appToUse.getPath('home');
|
||||
const sanitized = sanitizeFilename(name);
|
||||
|
|
@ -189,7 +200,7 @@ exports.writeToDownloads = async ({ data, name }) => {
|
|||
|
||||
const target = path.join(downloadsPath, candidateName);
|
||||
const normalized = path.normalize(target);
|
||||
if (!normalized.startsWith(downloadsPath)) {
|
||||
if (!isPathInside(normalized, downloadsPath)) {
|
||||
throw new Error('Invalid filename!');
|
||||
}
|
||||
|
||||
|
|
@ -223,14 +234,14 @@ async function writeWithAttributes(target, data) {
|
|||
|
||||
exports.openFileInDownloads = async name => {
|
||||
const shellToUse = shell || remote.shell;
|
||||
const appToUse = app || remote.app;
|
||||
const appToUse = getApp();
|
||||
|
||||
const downloadsPath =
|
||||
appToUse.getPath('downloads') || appToUse.getPath('home');
|
||||
const target = path.join(downloadsPath, name);
|
||||
|
||||
const normalized = path.normalize(target);
|
||||
if (!normalized.startsWith(downloadsPath)) {
|
||||
if (!isPathInside(normalized, downloadsPath)) {
|
||||
throw new Error('Invalid filename!');
|
||||
}
|
||||
|
||||
|
|
@ -310,7 +321,7 @@ exports.createWriterForExisting = root => {
|
|||
const buffer = Buffer.from(arrayBuffer);
|
||||
const absolutePath = path.join(root, relativePath);
|
||||
const normalized = path.normalize(absolutePath);
|
||||
if (!normalized.startsWith(root)) {
|
||||
if (!isPathInside(normalized, root)) {
|
||||
throw new Error('Invalid relative path');
|
||||
}
|
||||
|
||||
|
|
@ -335,7 +346,7 @@ exports.createDeleter = root => {
|
|||
|
||||
const absolutePath = path.join(root, relativePath);
|
||||
const normalized = path.normalize(absolutePath);
|
||||
if (!normalized.startsWith(root)) {
|
||||
if (!isPathInside(normalized, root)) {
|
||||
throw new Error('Invalid relative path');
|
||||
}
|
||||
await fse.remove(absolutePath);
|
||||
|
|
@ -402,7 +413,7 @@ exports.getRelativePath = name => {
|
|||
exports.createAbsolutePathGetter = rootPath => relativePath => {
|
||||
const absolutePath = path.join(rootPath, relativePath);
|
||||
const normalized = path.normalize(absolutePath);
|
||||
if (!normalized.startsWith(rootPath)) {
|
||||
if (!isPathInside(normalized, rootPath)) {
|
||||
throw new Error('Invalid relative path');
|
||||
}
|
||||
return normalized;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue