admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 01:56:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Add additional path-traversal guards on res.sendFile calls (no-changelog) (#6505)

Browse Source
This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™
2023-06-21 22:20:47 +02:00
committed by GitHub
parent 772ed7ff10
commit 42a9e20e32
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/cli/src/Server.ts
View File

@@ -14,7 +14,7 @@ import assert from 'assert';
import { exec as callbackExec } from 'child_process';
import { access as fsAccess } from 'fs/promises';
import os from 'os';
import { join as pathJoin, resolve as pathResolve } from 'path';
import { join as pathJoin, resolve as pathResolve, relative as pathRelative } from 'path';
import { createHmac } from 'crypto';
import { promisify } from 'util';
import cookieParser from 'cookie-parser';
@@ -1467,6 +1467,9 @@ export class Server extends AbstractServer {
loader.directory,
req.originalUrl.substring(pathPrefix.length),
);
if (pathRelative(loader.directory, filePath).includes('..')) {
return res.status(404).end();
}
try {
await fsAccess(filePath);
return res.sendFile(filePath);