From 6932cc4df7e0c2826e47b2d9ca2f0031f75b1b58 Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 27 Dec 2020 15:52:26 +0100 Subject: Always save uploads to a tmpdir first and cleanup afterwards This makes sure no unintended files are permanently saved. Co-authored-by: Yannick Bungers Signed-off-by: David Mehren --- lib/web/imageRouter/filesystem.js | 11 ++++++++++- lib/web/imageRouter/index.js | 22 ++++++++++++++-------- package.json | 1 + 3 files changed, 25 insertions(+), 9 deletions(-) diff --git a/lib/web/imageRouter/filesystem.js b/lib/web/imageRouter/filesystem.js index 3ba09e88..f8fd7e16 100644 --- a/lib/web/imageRouter/filesystem.js +++ b/lib/web/imageRouter/filesystem.js @@ -1,6 +1,7 @@ 'use strict' const URL = require('url').URL const path = require('path') +const fs = require('fs') const config = require('../../config') const logger = require('../../logger') @@ -16,5 +17,13 @@ exports.uploadImage = function (imagePath, callback) { return } - callback(null, (new URL(path.basename(imagePath), config.serverURL + '/uploads/')).href) + const fileName = path.basename(imagePath) + // move image from temporary path to upload directory + try { + fs.copyFileSync(imagePath, path.join(config.uploadsPath, fileName)) + } catch (e) { + callback(new Error('Error while moving file'), null) + return + } + callback(null, (new URL(fileName, config.serverURL + '/uploads/')).href) } diff --git a/lib/web/imageRouter/index.js b/lib/web/imageRouter/index.js index 5861a2bc..afa9bbf6 100644 --- a/lib/web/imageRouter/index.js +++ b/lib/web/imageRouter/index.js @@ -4,6 +4,9 @@ const Router = require('express').Router const formidable = require('formidable') const path = require('path') const FileType = require('file-type') +const fs = require('fs') +const os = require('os') +const rimraf = require('rimraf') const config = require('../../config') const logger = require('../../logger') @@ -30,25 +33,27 @@ async function checkUploadType (filePath) { // upload image imageRouter.post('/uploadimage', function (req, res) { - var form = new formidable.IncomingForm() + if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) { + logger.error(`Image upload error: Anonymous edits and therefore uploads are not allowed)`) + return errors.errorForbidden(res) + } + var form = new formidable.IncomingForm() form.keepExtensions = true - - if (config.imageUploadType === 'filesystem') { - form.uploadDir = config.uploadsPath - } + const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-')) + form.uploadDir = tmpDir form.parse(req, async function (err, fields, files) { if (err) { logger.error(`Image upload error: formidable error: ${err}`) - return errors.errorForbidden(res) - } else if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) { - logger.error(`Image upload error: Anonymous edits and therefore uploads are not allowed)`) + rimraf(tmpDir) return errors.errorForbidden(res) } else if (!files.image || !files.image.path) { logger.error(`Image upload error: Upload didn't contain file)`) + rimraf.sync(tmpDir) return errors.errorBadRequest(res) } else if (!await checkUploadType(files.image.path)) { + rimraf.sync(tmpDir) return errors.errorBadRequest(res) } else { logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`) @@ -56,6 +61,7 @@ imageRouter.post('/uploadimage', function (req, res) { const uploadProvider = require('./' + config.imageUploadType) logger.debug(`imageRouter: Uploading ${files.image.path} using ${config.imageUploadType}`) uploadProvider.uploadImage(files.image.path, function (err, url) { + rimraf.sync(tmpDir) if (err !== null) { logger.error(err) return res.status(500).end('upload image error') diff --git a/package.json b/package.json index c77045ab..ae234182 100644 --- a/package.json +++ b/package.json @@ -112,6 +112,7 @@ "readline-sync": "^1.4.7", "request": "^2.88.0", "reveal.js": "^3.9.2", + "rimraf": "^3.0.2", "scrypt-async": "^2.0.1", "scrypt-kdf": "^2.0.1", "select2": "^3.5.2-browserify", -- cgit v1.2.3