fix(server): validate filename and emoji name to improve security

2023-02-05 14:25:37 +09:00 · 2023-02-05 14:25:37 +09:00 · 0d7256678e
commit 0d7256678e
parent f599337320
2 changed files with 9 additions and 1 deletions
--- a/packages/backend/src/queue/processors/ImportCustomEmojisProcessorService.ts
+++ b/packages/backend/src/queue/processors/ImportCustomEmojisProcessorService.ts
@ -81,6 +81,10 @@ export class ImportCustomEmojisProcessorService {

 			for (const record of meta.emojis) {
 				if (!record.downloaded) continue;
+				if (!/^[a-zA-Z0-9_]+?([a-zA-Z0-9\.]+)?$/.test(record.fileName)) {
+					this.logger.error(`invalid filename: ${record.fileName}`);
+					continue;
+				}
 				const emojiInfo = record.emoji;
 				const emojiPath = outputPath + '/' + record.fileName;
 				await this.emojisRepository.delete({