Infrastructure/pingvin-share
0
Fork 0
mirror of https://github.com/stonith404/pingvin-share.git synced 2025-01-29 01:28:59 -05:00
Code Issues Activity

fix: remote arbitrary file overwrite on file upload endpoint

Browse source
This commit is contained in:
Elias Schneider 2024-11-17 16:07:21 +01:00
parent 51478b6a9f
commit 6cf5c66fe2
No known key found for this signature in database
GPG key ID: 07E623B294202B6C
2 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
backend/package.json
View file

@ -68,6 +68,7 @@
"@types/qrcode-svg": "^1.1.5",
"@types/sharp": "^0.32.0",
"@types/supertest": "^6.0.2",
"@types/uuid": "^10.0.0",
"@typescript-eslint/eslint-plugin": "^8.6.0",
"@typescript-eslint/parser": "^8.6.0",
"cross-env": "^7.0.3",

7
backend/src/file/file.service.ts
View file

@ -12,6 +12,7 @@ import * as fs from "fs";
import * as mime from "mime-types";
import { ConfigService } from "src/config/config.service";
import { PrismaService } from "src/prisma/prisma.service";
import { validate as isValidUUID } from "uuid";
import { SHARE_DIRECTORY } from "../constants";
@Injectable()
@ -28,7 +29,11 @@ export class FileService {
file: { id?: string; name: string },
shareId: string,
) {
if (!file.id) file.id = crypto.randomUUID();
if (!file.id) {
file.id = crypto.randomUUID();
} else if (!isValidUUID(file.id)) {
throw new BadRequestException("Invalid file ID format");
}
const share = await this.prisma.share.findUnique({
where: { id: shareId },