github/Peacock
1
Fork 0
mirror of https://github.com/thepeacockproject/Peacock synced 2025-04-02 23:15:29 +02:00
Code Releases Activity

Fix image loading (mk2)

Browse Source 
Signed-off-by: Reece Dunham <me@rdil.rocks>
This commit is contained in:
Reece Dunham 2022-11-08 12:11:30 -05:00
parent 84984b036c
commit ffaabc6095
No known key found for this signature in database
GPG Key ID: 0D7E929D2089E040
1 changed files with 8 additions and 19 deletions

27
components/menus/imageHandler.ts

@ -22,12 +22,12 @@ import parseUrl from "parseurl"
import axios from "axios" import axios from "axios"
import { log, LogLevel } from "../loggingInterop" import { log, LogLevel } from "../loggingInterop"
import { getFlag } from "../flags" import { getFlag } from "../flags"
import { createWriteStream } from "fs" import { Filename, JailFS, NodeFS, ppath } from "@yarnpkg/fslib"
import * as fs from "fs"
const fileNameSafeChars: readonly string[] = const imageJailFs = new JailFS(ppath.join(ppath.cwd(), "images" as Filename), {
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-_/".split( baseFs: new NodeFS(fs),
"", })
)
export async function imageFetchingMiddleware( export async function imageFetchingMiddleware(
req: RequestWithJwt, req: RequestWithJwt,
@ -51,16 +51,6 @@ export async function imageFetchingMiddleware(
return return
} }
// if the path has more than one period, or any of the characters are not in fileNameSafeChars, then we reject it
if (
path.split(".").length > 2 ||
path.split("").some((char) => !fileNameSafeChars.includes(char))
) {
log(LogLevel.WARN, `Invalid image path: ${path}`)
res.status(400).send("Arbitrary file access is not allowed.")
return
}
try { try {
const axiosResponse = await axios( const axiosResponse = await axios(
`https://img.rdil.rocks/images${path}`, `https://img.rdil.rocks/images${path}`,
@ -80,10 +70,9 @@ export async function imageFetchingMiddleware(
if (getFlag("imageLoading") === "SAVEASREQUESTED") { if (getFlag("imageLoading") === "SAVEASREQUESTED") {
log(LogLevel.DEBUG, `Saving image ${path} to disk.`) log(LogLevel.DEBUG, `Saving image ${path} to disk.`)
// we got the image, we should be fine const writeStream = imageJailFs.createWriteStream(
// may need to introduce extra security here in the future, not sure though ppath.resolve(path as Filename),
// we've got bidi and escape paths taken care of, so it should be enough, I hope? )
const writeStream = createWriteStream(`images${path}`)
writeStream.on("finish", () => { writeStream.on("finish", () => {
log(LogLevel.INFO, `Saved image ${path} to disk.`) log(LogLevel.INFO, `Saved image ${path} to disk.`)