mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 00:40:14 +01:00
🛡️ fix: Enhance File Upload Security & Error Handling (#4705)
* fix: sanitize filename in multer storage callback * fix: ensure temporary image upload file is deleted after processing * fix: prevent cleanup flag from being set to false before actually deleted * refactor: user avatar, typing, use 'file' for formData instead of 'input', add disk storage, use localization * fix: update Avatar component to include image dimensions in formData and refactor editor reference type * fix: refactor avatar upload handling to use fs for file reading and enhance file validation * fix: ensure temporary image upload file is deleted after processing * fix: refactor avatar upload routes and handlers for agents and assistants, improve file handling and validation * fix: improve audio file validation and cleanup * fix: add filename sanitization utility and integrate it into multer storage configuration * fix: update group project ID check for null and refactor delete prompt group response type * fix: invalid access control for deleting prompt groups * fix: add error handling and logging to checkBan middleware * fix: catch conversation parsing errors * chore: revert unnecessary height and width parameters from avatar upload * chore: update librechat-data-provider version to 0.7.55 * style: ensure KaTeX can spread across visible space
This commit is contained in:
Danny Avila
GitHub
parent
3c94ff2c04
commit
d012da0065
33 changed files with 373 additions and 186 deletions
|
|
@ -1,17 +1,18 @@
|
|||
const multer = require('multer');
|
||||
const fs = require('fs').promises;
|
||||
const express = require('express');
|
||||
const { getStrategyFunctions } = require('~/server/services/Files/strategies');
|
||||
const { resizeAvatar } = require('~/server/services/Files/images/avatar');
|
||||
const { filterFile } = require('~/server/services/Files/process');
|
||||
const { logger } = require('~/config');
|
||||
|
||||
const upload = multer();
|
||||
const router = express.Router();
|
||||
|
||||
router.post('/', upload.single('input'), async (req, res) => {
|
||||
router.post('/', async (req, res) => {
|
||||
try {
|
||||
filterFile({ req, file: req.file, image: true, isAvatar: true });
|
||||
const userId = req.user.id;
|
||||
const { manual } = req.body;
|
||||
const input = req.file.buffer;
|
||||
const input = await fs.readFile(req.file.path);
|
||||
|
||||
if (!userId) {
|
||||
throw new Error('User ID is undefined');
|
||||
|
|
@ -33,6 +34,13 @@ router.post('/', upload.single('input'), async (req, res) => {
|
|||
const message = 'An error occurred while uploading the profile picture';
|
||||
logger.error(message, error);
|
||||
res.status(500).json({ message });
|
||||
} finally {
|
||||
try {
|
||||
await fs.unlink(req.file.path);
|
||||
logger.debug('[/files/images/avatar] Temp. image upload file deleted');
|
||||
} catch (error) {
|
||||
logger.debug('[/files/images/avatar] Temp. image upload file already deleted');
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -231,7 +231,6 @@ router.post('/', async (req, res) => {
|
|||
} catch (error) {
|
||||
let message = 'Error processing file';
|
||||
logger.error('[/files] Error processing file:', error);
|
||||
cleanup = false;
|
||||
|
||||
if (error.message?.includes('file_ids')) {
|
||||
message += ': ' + error.message;
|
||||
|
|
@ -240,6 +239,7 @@ router.post('/', async (req, res) => {
|
|||
// TODO: delete remote file if it exists
|
||||
try {
|
||||
await fs.unlink(file.path);
|
||||
cleanup = false;
|
||||
} catch (error) {
|
||||
logger.error('[/files] Error deleting file:', error);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -30,6 +30,13 @@ router.post('/', async (req, res) => {
|
|||
logger.error('[/files/images] Error deleting file:', error);
|
||||
}
|
||||
res.status(500).json({ message: 'Error processing file' });
|
||||
} finally {
|
||||
try {
|
||||
await fs.unlink(req.file.path);
|
||||
logger.debug('[/files/images] Temp. image upload file deleted');
|
||||
} catch (error) {
|
||||
logger.debug('[/files/images] Temp. image upload file already deleted');
|
||||
}
|
||||
}
|
||||
});
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,7 @@
|
|||
const express = require('express');
|
||||
const { uaParser, checkBan, requireJwtAuth, createFileLimiters } = require('~/server/middleware');
|
||||
const { avatar: asstAvatarRouter } = require('~/server/routes/assistants/v1');
|
||||
const { avatar: agentAvatarRouter } = require('~/server/routes/agents/v1');
|
||||
const { createMulterInstance } = require('./multer');
|
||||
|
||||
const files = require('./files');
|
||||
|
|
@ -13,18 +15,25 @@ const initialize = async () => {
|
|||
router.use(checkBan);
|
||||
router.use(uaParser);
|
||||
|
||||
const upload = await createMulterInstance();
|
||||
router.post('/speech/stt', upload.single('audio'));
|
||||
|
||||
/* Important: speech route must be added before the upload limiters */
|
||||
router.use('/speech', speech);
|
||||
|
||||
const upload = await createMulterInstance();
|
||||
const { fileUploadIpLimiter, fileUploadUserLimiter } = createFileLimiters();
|
||||
router.post('*', fileUploadIpLimiter, fileUploadUserLimiter);
|
||||
router.post('/', upload.single('file'));
|
||||
router.post('/images', upload.single('file'));
|
||||
router.post('/images/avatar', upload.single('file'));
|
||||
router.post('/images/agents/:agent_id/avatar', upload.single('file'));
|
||||
router.post('/images/assistants/:assistant_id/avatar', upload.single('file'));
|
||||
|
||||
router.use('/', files);
|
||||
router.use('/images', images);
|
||||
router.use('/images/avatar', avatar);
|
||||
router.use('/images/agents', agentAvatarRouter);
|
||||
router.use('/images/assistants', asstAvatarRouter);
|
||||
return router;
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -3,6 +3,7 @@ const path = require('path');
|
|||
const crypto = require('crypto');
|
||||
const multer = require('multer');
|
||||
const { fileConfig: defaultFileConfig, mergeFileConfig } = require('librechat-data-provider');
|
||||
const { sanitizeFilename } = require('~/server/utils/handleText');
|
||||
const { getCustomConfig } = require('~/server/services/Config');
|
||||
|
||||
const storage = multer.diskStorage({
|
||||
|
|
@ -16,7 +17,8 @@ const storage = multer.diskStorage({
|
|||
filename: function (req, file, cb) {
|
||||
req.file_id = crypto.randomUUID();
|
||||
file.originalname = decodeURIComponent(file.originalname);
|
||||
cb(null, `${file.originalname}`);
|
||||
const sanitizedFilename = sanitizeFilename(file.originalname);
|
||||
cb(null, sanitizedFilename);
|
||||
},
|
||||
});
|
||||
|
||||
|
|
@ -45,6 +47,10 @@ const createFileFilter = (customFileConfig) => {
|
|||
return cb(new Error('No file provided'), false);
|
||||
}
|
||||
|
||||
if (req.originalUrl.endsWith('/speech/stt') && file.mimetype.startsWith('audio/')) {
|
||||
return cb(null, true);
|
||||
}
|
||||
|
||||
const endpoint = req.body.endpoint;
|
||||
const supportedTypes =
|
||||
customFileConfig?.endpoints?.[endpoint]?.supportedMimeTypes ??
|
||||
|
|
|
|||
|
|
@ -1,13 +1,8 @@
|
|||
const express = require('express');
|
||||
const router = express.Router();
|
||||
const multer = require('multer');
|
||||
const { requireJwtAuth } = require('~/server/middleware/');
|
||||
const { speechToText } = require('~/server/services/Files/Audio');
|
||||
|
||||
const upload = multer();
|
||||
const router = express.Router();
|
||||
|
||||
router.post('/', requireJwtAuth, upload.single('audio'), async (req, res) => {
|
||||
await speechToText(req, res);
|
||||
});
|
||||
router.post('/', speechToText);
|
||||
|
||||
module.exports = router;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue