From 4dffae3f39259a5b7aa45023d9828a3ed84eb539 Mon Sep 17 00:00:00 2001 From: Jonathan Jogenfors Date: Fri, 6 Oct 2023 22:47:38 +0200 Subject: [PATCH] fix(server): normalize external path (#4239) * fix: use normalized external path * fix: move normalization to user core --- server/src/domain/library/library.service.ts | 2 +- server/src/domain/user/user.core.ts | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/server/src/domain/library/library.service.ts b/server/src/domain/library/library.service.ts index b29446a54a..0afb4f4237 100644 --- a/server/src/domain/library/library.service.ts +++ b/server/src/domain/library/library.service.ts @@ -155,7 +155,7 @@ export class LibraryService { return false; } - if (!path.normalize(assetPath).match(new RegExp(`^${user.externalPath}`))) { + if (!path.normalize(assetPath).match(new RegExp(`^${path.normalize(user.externalPath)}`))) { this.logger.error("Asset must be within the user's external path"); return false; } diff --git a/server/src/domain/user/user.core.ts b/server/src/domain/user/user.core.ts index 2034b1b7fa..44d977b750 100644 --- a/server/src/domain/user/user.core.ts +++ b/server/src/domain/user/user.core.ts @@ -8,6 +8,7 @@ import { } from '@nestjs/common'; import { ReadStream, constants, createReadStream } from 'fs'; import fs from 'fs/promises'; +import path from 'path'; import sanitize from 'sanitize-filename'; import { AuthUserDto } from '../auth'; import { ICryptoRepository } from '../crypto'; @@ -63,6 +64,8 @@ export class UserCore { if (dto.externalPath === '') { dto.externalPath = null; + } else if (dto.externalPath) { + dto.externalPath = path.normalize(dto.externalPath); } return this.userRepository.update(id, dto);