Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-17 00:40:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

🛡️ : Security Enhancements (#1681)

Browse source 
* fix: sanitize HTTP params and do not send whole error objects backs

* fix: prevent path traversal

* fix: send custom error message for tokenizer route

* chore: handle info exposure vector

* chore(oauth): skip check due to false positive as oauth routes are rate-limited

* chore(app): disable `x-powered-by`

* chore: disable false positives or flagging of hardcoded secrets when they are fake values

* chore: add path traversal safety check
This commit is contained in:
Danny Avila 2024-01-30 14:34:02 -05:00 committed by GitHub
parent 9fad1b2cae
commit 972402e029
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
23 changed files with 72 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

8
api/server/routes/files/images.js
View file

@ -1,4 +1,5 @@
const { z } = require('zod');
const path = require('path');
const fs = require('fs').promises;
const express = require('express');
const upload = require('./multer');
@ -39,7 +40,12 @@ router.post('/', upload.single('file'), async (req, res) => {
} catch (error) {
logger.error('[/files/images] Error processing file:', error);
try {
await fs.unlink(file.path);
const filepath = path.join(
req.app.locals.paths.imageOutput,
req.user.id,
path.basename(file.filename),
);
await fs.unlink(filepath);
} catch (error) {
logger.error('[/files/images] Error deleting file:', error);
}