From 70cf2b2c86f58d73e32666663d40df5e177110f0 Mon Sep 17 00:00:00 2001
From: Nazar Gargol <nazargargol@gmail.com>
Date: Tue, 17 Dec 2019 15:08:04 +0700
Subject: [PATCH] Added input sanitization for backup path

- We need to limit the allowed filename accepted by the method to avoid opening up path traversal attack
---
 core/server/data/db/backup.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/server/data/db/backup.js b/core/server/data/db/backup.js
index fb6d71278a..3075b94c53 100644
--- a/core/server/data/db/backup.js
+++ b/core/server/data/db/backup.js
@@ -18,8 +18,9 @@ writeExportFile = function writeExportFile(exportResult) {
 };
 
 const readBackup = async (filename) => {
-    // TODO: prevent from directory traversal - need to sanitize the filename probably on validation layer
-    var backupPath = path.resolve(urlUtils.urlJoin(config.get('paths').contentPath, 'data', filename));
+    const parsedFileName = path.parse(filename);
+    const sanitized = `${parsedFileName.name}${parsedFileName.ext}`;
+    const backupPath = path.resolve(urlUtils.urlJoin(config.get('paths').contentPath, 'data', sanitized));
 
     const exists = await fs.pathExists(backupPath);