diff options
author | David Mehren | 2020-12-27 19:52:42 +0100 |
---|---|---|
committer | GitHub | 2020-12-27 19:52:42 +0100 |
commit | e9306991cdb5ff2752c1eeba3fedba42aec3c2d8 (patch) | |
tree | 50eea3b294f40287a8eded1938593d0a2c4f206a /lib/web | |
parent | 58276ebbf4504a682454a3686dcaff88bc1069d4 (diff) | |
parent | 6932cc4df7e0c2826e47b2d9ca2f0031f75b1b58 (diff) |
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
Diffstat (limited to 'lib/web')
-rw-r--r-- | lib/web/imageRouter/filesystem.js | 11 | ||||
-rw-r--r-- | lib/web/imageRouter/index.js | 51 |
2 files changed, 52 insertions, 10 deletions
diff --git a/lib/web/imageRouter/filesystem.js b/lib/web/imageRouter/filesystem.js index 3ba09e88..f8fd7e16 100644 --- a/lib/web/imageRouter/filesystem.js +++ b/lib/web/imageRouter/filesystem.js @@ -1,6 +1,7 @@ 'use strict' const URL = require('url').URL const path = require('path') +const fs = require('fs') const config = require('../../config') const logger = require('../../logger') @@ -16,5 +17,13 @@ exports.uploadImage = function (imagePath, callback) { return } - callback(null, (new URL(path.basename(imagePath), config.serverURL + '/uploads/')).href) + const fileName = path.basename(imagePath) + // move image from temporary path to upload directory + try { + fs.copyFileSync(imagePath, path.join(config.uploadsPath, fileName)) + } catch (e) { + callback(new Error('Error while moving file'), null) + return + } + callback(null, (new URL(fileName, config.serverURL + '/uploads/')).href) } diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js index aa02e9b0..afa9bbf6 100644 --- a/lib/web/imageRouter/index.js +++ b/lib/web/imageRouter/index.js @@ -2,6 +2,11 @@ const Router = require('express').Router const formidable = require('formidable') +const path = require('path') +const FileType = require('file-type') +const fs = require('fs') +const os = require('os') +const rimraf = require('rimraf') const config = require('../../config') const logger = require('../../logger') @@ -9,26 +14,54 @@ const errors = require('../../errors') const imageRouter = module.exports = Router() +async function checkUploadType (filePath) { + const typeFromMagic = await FileType.fromFile(filePath) + if (typeFromMagic === undefined) { + logger.error(`Image upload error: Could not determine MIME-type`) + return false + } + if (path.extname(filePath) !== '.' + typeFromMagic.ext) { + logger.error(`Image upload error: Provided file extension does not match MIME-type`) + return false + } + if (!config.allowedUploadMimeTypes.includes(typeFromMagic.mime)) { + logger.error(`Image upload error: MIME-type "${typeFromMagic.mime}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(', ')}" are allowed`) + return false + } + return true +} + // upload image imageRouter.post('/uploadimage', function (req, res) { - var form = new formidable.IncomingForm() + if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) { + logger.error(`Image upload error: Anonymous edits and therefore uploads are not allowed)`) + return errors.errorForbidden(res) + } + var form = new formidable.IncomingForm() form.keepExtensions = true + const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-')) + form.uploadDir = tmpDir - if (config.imageUploadType === 'filesystem') { - form.uploadDir = config.uploadsPath - } - - form.parse(req, function (err, fields, files) { - if (err || !files.image || !files.image.path) { - logger.error(`formidable error: ${err}`) - errors.errorForbidden(res) + form.parse(req, async function (err, fields, files) { + if (err) { + logger.error(`Image upload error: formidable error: ${err}`) + rimraf(tmpDir) + return errors.errorForbidden(res) + } else if (!files.image || !files.image.path) { + logger.error(`Image upload error: Upload didn't contain file)`) + rimraf.sync(tmpDir) + return errors.errorBadRequest(res) + } else if (!await checkUploadType(files.image.path)) { + rimraf.sync(tmpDir) + return errors.errorBadRequest(res) } else { logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`) const uploadProvider = require('./' + config.imageUploadType) logger.debug(`imageRouter: Uploading ${files.image.path} using ${config.imageUploadType}`) uploadProvider.uploadImage(files.image.path, function (err, url) { + rimraf.sync(tmpDir) if (err !== null) { logger.error(err) return res.status(500).end('upload image error') |