summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Mehren2021-04-25 21:28:18 +0200
committerGitHub2021-04-25 21:28:18 +0200
commit59f669e593bd408a9b5540a8002d7392d31849c4 (patch)
tree1656b9da989101f716e9bb14b7631833fd836116
parent6cda639eef372a10225b6c2b13f282d1f6cfabdd (diff)
parent44b7f607a542abc2f47ac141f2fd6cd1d34ed1c5 (diff)
Merge pull request from GHSA-p528-555r-pf87
Fix Relative Path Traversal Attack on note creation
Diffstat (limited to '')
-rw-r--r--lib/models/note.js6
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/models/note.js b/lib/models/note.js
index 7b8b6783..0c268e2e 100644
--- a/lib/models/note.js
+++ b/lib/models/note.js
@@ -94,7 +94,7 @@ module.exports = function (sequelize, DataTypes) {
let body = null
let filePath = null
if (note.alias) {
- filePath = path.join(config.docsPath, note.alias + '.md')
+ filePath = path.join(config.docsPath, path.basename(note.alias) + '.md')
}
if (!filePath || !Note.checkFileExist(filePath)) {
filePath = config.defaultNotePath
@@ -196,7 +196,7 @@ module.exports = function (sequelize, DataTypes) {
}
}).then(function (note) {
if (note) {
- const filePath = path.join(config.docsPath, noteId + '.md')
+ const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
if (Note.checkFileExist(filePath)) {
// if doc in filesystem have newer modified time than last change time
// then will update the doc in db
@@ -238,7 +238,7 @@ module.exports = function (sequelize, DataTypes) {
return callback(null, note.id)
}
} else {
- const filePath = path.join(config.docsPath, noteId + '.md')
+ const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
if (Note.checkFileExist(filePath)) {
Note.create({
alias: noteId,