🛡️ fix: Enhance File Upload Security & Error Handling (#4705)

* fix: sanitize filename in multer storage callback * fix: ensure temporary image upload file is deleted after processing * fix: prevent cleanup flag from being set to false before actually deleted * refactor: user avatar, typing, use 'file' for formData instead of 'input', add disk storage, use localization * fix: update Avatar component to include image dimensions in formData and refactor editor reference type * fix: refactor avatar upload handling to use fs for file reading and enhance file validation * fix: ensure temporary image upload file is deleted after processing * fix: refactor avatar upload routes and handlers for agents and assistants, improve file handling and validation * fix: improve audio file validation and cleanup * fix: add filename sanitization utility and integrate it into multer storage configuration * fix: update group project ID check for null and refactor delete prompt group response type * fix: invalid access control for deleting prompt groups * fix: add error handling and logging to checkBan middleware * fix: catch conversation parsing errors * chore: revert unnecessary height and width parameters from avatar upload * chore: update librechat-data-provider version to 0.7.55 * style: ensure KaTeX can spread across visible space
2025-12-17 08:50:15 +01:00 · 2024-11-12 16:41:04 -05:00 · 2024-11-12 16:41:04 -05:00 · d012da0065
commit d012da0065
parent 3c94ff2c04
33 changed files with 373 additions and 186 deletions
--- a/api/server/utils/handleText.js
+++ b/api/server/utils/handleText.js
@ -1,3 +1,5 @@
+const path = require('path');
+const crypto = require('crypto');
 const {
  Capabilities,
  EModelEndpoint,
@ -222,6 +224,38 @@ function normalizeEndpointName(name = '') {
  return name.toLowerCase() === Providers.OLLAMA ? Providers.OLLAMA : name;
 }

+/**
+ * Sanitize a filename by removing any directory components, replacing non-alphanumeric characters
+ * @param {string} inputName
+ * @returns {string}
+ */
+function sanitizeFilename(inputName) {
+  // Remove any directory components
+  let name = path.basename(inputName);
+
+  // Replace any non-alphanumeric characters except for '.' and '-'
+  name = name.replace(/[^a-zA-Z0-9.-]/g, '_');
+
+  // Ensure the name doesn't start with a dot (hidden file in Unix-like systems)
+  if (name.startsWith('.') || name === '') {
+    name = '_' + name;
+  }
+
+  // Limit the length of the filename
+  const MAX_LENGTH = 255;
+  if (name.length > MAX_LENGTH) {
+    const ext = path.extname(name);
+    const nameWithoutExt = path.basename(name, ext);
+    name =
+      nameWithoutExt.slice(0, MAX_LENGTH - ext.length - 7) +
+      '-' +
+      crypto.randomBytes(3).toString('hex') +
+      ext;
+  }
+
+  return name;
+}
+
 module.exports = {
  isEnabled,
  handleText,
@ -231,5 +265,6 @@ module.exports = {
  generateConfig,
  addSpaceIfNeeded,
  createOnProgress,
+  sanitizeFilename,
  normalizeEndpointName,
 };