From 47a5c7126c20e2277ee56e2c7ee11990886a40a7 Mon Sep 17 00:00:00 2001 From: timothycarambat Date: Tue, 27 Aug 2024 16:19:12 -0700 Subject: [PATCH] Patch path traversal in move-files that can be used by `administrator` level attacker only --- .../ChatHistory/HistoricalMessage/index.jsx | 2 +- package.json | 2 +- server/endpoints/api/document/index.js | 6 ++++++ server/endpoints/document.js | 6 ++++++ server/models/browserExtensionApiKey.js | 12 ++++++------ 5 files changed, 20 insertions(+), 8 deletions(-) diff --git a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx index d8b529780e..27025b0526 100644 --- a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx +++ b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx @@ -98,7 +98,7 @@ const HistoricalMessage = ({ saveChanges={saveEditedMessage} /> ) : ( -
+
=18" }, "scripts": { - "lint": "cd server && yarn lint && cd ../frontend && yarn lint && cd ../embed && yarn lint && cd ../collector && yarn lint", + "lint": "cd server && yarn lint && cd ../frontend && yarn lint && cd ../collector && yarn lint", "setup": "cd server && yarn && cd ../collector && yarn && cd ../frontend && yarn && cd .. && yarn setup:envs && yarn prisma:setup && echo \"Please run yarn dev:server, yarn dev:collector, and yarn dev:frontend in separate terminal tabs.\"", "setup:envs": "cp -n ./frontend/.env.example ./frontend/.env && cp -n ./server/.env.example ./server/.env.development && cp -n ./collector/.env.example ./collector/.env && cp -n ./docker/.env.example ./docker/.env && echo \"All ENV files copied!\n\"", "dev:server": "cd server && yarn dev", diff --git a/server/endpoints/api/document/index.js b/server/endpoints/api/document/index.js index 51b2c03deb..b4461175ad 100644 --- a/server/endpoints/api/document/index.js +++ b/server/endpoints/api/document/index.js @@ -686,6 +686,12 @@ function apiDocumentEndpoints(app) { const sourcePath = path.join(documentsPath, normalizePath(from)); const destinationPath = path.join(documentsPath, normalizePath(to)); return new Promise((resolve, reject) => { + if ( + !isWithin(documentsPath, sourcePath) || + !isWithin(documentsPath, destinationPath) + ) + return reject("Invalid file location"); + fs.rename(sourcePath, destinationPath, (err) => { if (err) { console.error(`Error moving file ${from} to ${to}:`, err); diff --git a/server/endpoints/document.js b/server/endpoints/document.js index 419e8d5538..e4c311aee5 100644 --- a/server/endpoints/document.js +++ b/server/endpoints/document.js @@ -60,6 +60,12 @@ function documentEndpoints(app) { const destinationPath = path.join(documentsPath, normalizePath(to)); return new Promise((resolve, reject) => { + if ( + !isWithin(documentsPath, sourcePath) || + !isWithin(documentsPath, destinationPath) + ) + return reject("Invalid file location"); + fs.rename(sourcePath, destinationPath, (err) => { if (err) { console.error(`Error moving file ${from} to ${to}:`, err); diff --git a/server/models/browserExtensionApiKey.js b/server/models/browserExtensionApiKey.js index 21c1a3a017..45759d98d1 100644 --- a/server/models/browserExtensionApiKey.js +++ b/server/models/browserExtensionApiKey.js @@ -88,9 +88,9 @@ const BrowserExtensionApiKey = { /** * Gets browser keys by params - * @param {object} clause - * @param {number|null} limit - * @param {object|null} orderBy + * @param {object} clause + * @param {number|null} limit + * @param {object|null} orderBy * @returns {Promise} */ where: async function (clause = {}, limit = null, orderBy = null) { @@ -111,9 +111,9 @@ const BrowserExtensionApiKey = { /** * Get browser API keys for user * @param {import("@prisma/client").users} user - * @param {object} clause - * @param {number|null} limit - * @param {object|null} orderBy + * @param {object} clause + * @param {number|null} limit + * @param {object|null} orderBy * @returns {Promise} */ whereWithUser: async function (