Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-17 07:50:12 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Rename files with possible XSS

Browse source 
Previously upload of such files would fail silently.
Now they are renamed to a sanitized version and a warning is printed in the console.
This commit is contained in:
Vid Smole 2023-08-16 18:51:40 +02:00
parent 998f3fe8a7
commit fa58d0ec3b
No known key found for this signature in database
GPG key ID: 85348A78371C84EB
1 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
client/components/cards/attachments.js
View file

@ -292,13 +292,16 @@ Template.cardAttachmentsPopup.events({
let uploads = []; let uploads = [];
for (const file of files) { for (const file of files) {
const fileId = new ObjectID().toString(); const fileId = new ObjectID().toString();
// If filename is not same as sanitized filename, has XSS, then cancel upload const fileName = DOMPurify.sanitize(file.name);
if (file.name !== DOMPurify.sanitize(file.name)) {
return false; if (fileName !== file.name) {
console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
} }
const config = { const config = {
file: file, file: file,
fileId: fileId, fileId: fileId,
fileName: fileName,
meta: Utils.getCommonAttachmentMetaFrom(card), meta: Utils.getCommonAttachmentMetaFrom(card),
chunkSize: 'dynamic', chunkSize: 'dynamic',
}; };