Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-02-27 02:14:06 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Try to fix some security issues.

Browse source 
Thanks to responsible security disclosure contributors and xet7 !
This commit is contained in:
Lauri Ojansivu 2023-02-20 01:21:33 +02:00
parent b349ecbdf7
commit ff993e7c91
9 changed files with 4272 additions and 2291 deletions
Download patch file Download diff file Expand all files Collapse all files

9
models/attachments.js
View file

@ -6,6 +6,7 @@ import fs from 'fs';
import path from 'path';
import { AttachmentStoreStrategyFilesystem, AttachmentStoreStrategyGridFs, AttachmentStoreStrategyS3 } from '/models/lib/attachmentStoreStrategy';
import FileStoreStrategyFactory, {moveToStorage, rename, STORAGE_NAME_FILESYSTEM, STORAGE_NAME_GRIDFS, STORAGE_NAME_S3} from '/models/lib/fileStoreStrategy';
import DOMPurify from 'isomorphic-dompurify';
let attachmentUploadExternalProgram;
let attachmentUploadMimeTypes = [];
@ -149,9 +150,11 @@ if (Meteor.isServer) {
renameAttachment(fileObjId, newName) {
check(fileObjId, String);
check(newName, String);
const fileObj = Attachments.findOne({_id: fileObjId});
rename(fileObj, newName, fileStoreStrategyFactory);
// If new name is same as sanitized name, does not have XSS, allow rename file
if (newName === DOMPurify.sanitize(newName)) {
const fileObj = Attachments.findOne({_id: fileObjId});
rename(fileObj, newName, fileStoreStrategyFactory);
}
},
validateAttachment(fileObjId) {
check(fileObjId, String);