mirror of
https://github.com/kokonect-link/cherrypick
synced 2024-11-28 14:58:29 +09:00
fix(server): validate filename and emoji name to improve security
This commit is contained in:
parent
f599337320
commit
0d7256678e
@ -12,9 +12,9 @@ import type Logger from '@/logger.js';
|
|||||||
import { DriveService } from '@/core/DriveService.js';
|
import { DriveService } from '@/core/DriveService.js';
|
||||||
import { createTemp, createTempDir } from '@/misc/create-temp.js';
|
import { createTemp, createTempDir } from '@/misc/create-temp.js';
|
||||||
import { DownloadService } from '@/core/DownloadService.js';
|
import { DownloadService } from '@/core/DownloadService.js';
|
||||||
|
import { bindThis } from '@/decorators.js';
|
||||||
import { QueueLoggerService } from '../QueueLoggerService.js';
|
import { QueueLoggerService } from '../QueueLoggerService.js';
|
||||||
import type Bull from 'bull';
|
import type Bull from 'bull';
|
||||||
import { bindThis } from '@/decorators.js';
|
|
||||||
|
|
||||||
@Injectable()
|
@Injectable()
|
||||||
export class ExportCustomEmojisProcessorService {
|
export class ExportCustomEmojisProcessorService {
|
||||||
@ -82,6 +82,10 @@ export class ExportCustomEmojisProcessorService {
|
|||||||
});
|
});
|
||||||
|
|
||||||
for (const emoji of customEmojis) {
|
for (const emoji of customEmojis) {
|
||||||
|
if (!/^[a-zA-Z0-9_]+$/.test(emoji.name)) {
|
||||||
|
this.logger.error(`invalid emoji name: ${emoji.name}`);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
const ext = mime.extension(emoji.type ?? 'image/png');
|
const ext = mime.extension(emoji.type ?? 'image/png');
|
||||||
const fileName = emoji.name + (ext ? '.' + ext : '');
|
const fileName = emoji.name + (ext ? '.' + ext : '');
|
||||||
const emojiPath = path + '/' + fileName;
|
const emojiPath = path + '/' + fileName;
|
||||||
|
@ -81,6 +81,10 @@ export class ImportCustomEmojisProcessorService {
|
|||||||
|
|
||||||
for (const record of meta.emojis) {
|
for (const record of meta.emojis) {
|
||||||
if (!record.downloaded) continue;
|
if (!record.downloaded) continue;
|
||||||
|
if (!/^[a-zA-Z0-9_]+?([a-zA-Z0-9\.]+)?$/.test(record.fileName)) {
|
||||||
|
this.logger.error(`invalid filename: ${record.fileName}`);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
const emojiInfo = record.emoji;
|
const emojiInfo = record.emoji;
|
||||||
const emojiPath = outputPath + '/' + record.fileName;
|
const emojiPath = outputPath + '/' + record.fileName;
|
||||||
await this.emojisRepository.delete({
|
await this.emojisRepository.delete({
|
||||||
|
Loading…
Reference in New Issue
Block a user