diff options
| author | David Mehren | 2021-04-25 21:28:18 +0200 |
|---|---|---|
| committer | GitHub | 2021-04-25 21:28:18 +0200 |
| commit | 59f669e593bd408a9b5540a8002d7392d31849c4 (patch) | |
| tree | 1656b9da989101f716e9bb14b7631833fd836116 | |
| parent | 6cda639eef372a10225b6c2b13f282d1f6cfabdd (diff) | |
| parent | 44b7f607a542abc2f47ac141f2fd6cd1d34ed1c5 (diff) | |
Merge pull request from GHSA-p528-555r-pf87
Fix Relative Path Traversal Attack on note creation
| -rw-r--r-- | lib/models/note.js | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/lib/models/note.js b/lib/models/note.js index 7b8b6783..0c268e2e 100644 --- a/lib/models/note.js +++ b/lib/models/note.js @@ -94,7 +94,7 @@ module.exports = function (sequelize, DataTypes) { let body = null let filePath = null if (note.alias) { - filePath = path.join(config.docsPath, note.alias + '.md') + filePath = path.join(config.docsPath, path.basename(note.alias) + '.md') } if (!filePath || !Note.checkFileExist(filePath)) { filePath = config.defaultNotePath @@ -196,7 +196,7 @@ module.exports = function (sequelize, DataTypes) { } }).then(function (note) { if (note) { - const filePath = path.join(config.docsPath, noteId + '.md') + const filePath = path.join(config.docsPath, path.basename(noteId) + '.md') if (Note.checkFileExist(filePath)) { // if doc in filesystem have newer modified time than last change time // then will update the doc in db @@ -238,7 +238,7 @@ module.exports = function (sequelize, DataTypes) { return callback(null, note.id) } } else { - const filePath = path.join(config.docsPath, noteId + '.md') + const filePath = path.join(config.docsPath, path.basename(noteId) + '.md') if (Note.checkFileExist(filePath)) { Note.create({ alias: noteId, |