fix(codeQL): Patched code (#4)

* fix(codeQL): Patched code * Update codeql.yml * Update codeql.yml * Update codeql.yml * Update codeql.yml * Update codeql.yml * change codeql * uh codeql ig
Kathund · Dec 17, 2023 · 1be595b · 1be595b
1 parent 5744a83
commit 1be595b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 83 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
diff --git a/src/endpoints/file.ts b/src/endpoints/file.ts
@@ -1,14 +1,18 @@
 import { Application, Request, Response } from "express";
 import { apiMessage, errorMessage } from "../logger";
 import { existsSync } from "fs";
-import { join } from "path";
+import { resolve } from "path";
 
 export default (app: Application) => {
   app.get("/:name", async (req: Request, res: Response) => {
     try {
       const fileName = req.params.name;
       apiMessage(req.path, `User is trying to get a file - ${fileName}`);
-      const filePath = join(__dirname, "../", "files", fileName);
+      const fileNamePattern = /^[a-zA-Z0-9_-]+$/;
+      if (!fileNamePattern.test(fileName)) {
+        return res.status(400).json({ error: "Invalid file name" });
+      }
+      const filePath = resolve(__dirname, "../", "files", fileName);
       if (!existsSync(filePath)) {
         errorMessage(`File ${fileName} not found`);
         return res

diff --git a/src/endpoints/save.ts b/src/endpoints/save.ts
@@ -26,6 +26,10 @@ export default (app: Application) => {
       }
 
       const fileName = req.params.name;
+      const fileNamePattern = /^[a-zA-Z0-9_-]+$/;
+      if (!fileNamePattern.test(fileName)) {
+        return res.status(400).json({ error: "Invalid file name" });
+      }
       const filePath = join(__dirname, "../", "files", fileName);
       if (existsSync(filePath)) {
         errorMessage(`File ${fileName} already exists`);