KevinMidboe/immich
1
0
Fork 0
mirror of https://github.com/KevinMidboe/immich.git synced 2025-10-29 17:40:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(server): sanitized path for asset creation process to avoid security risk (#717)

Browse Source 
* feat(server): sanitized path for asset creation process to avoid security risk

* Sanitize resize path
This commit is contained in:
Alex
2022-09-18 15:16:53 -05:00
committed by GitHub
parent ece94f6bdc
commit e3ccc3ee6b
5 changed files with 323 additions and 842 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/apps/immich/src/config/asset-upload.config.ts
View File

@@ -6,6 +6,7 @@ import { diskStorage } from 'multer';
import { extname, join } from 'path';
import { Request } from 'express';
import { randomUUID } from 'crypto';
import sanitize from 'sanitize-filename';
export const assetUploadOption: MulterOptions = {
fileFilter: (req: Request, file: any, cb: any) => {
@@ -19,17 +20,13 @@ export const assetUploadOption: MulterOptions = {
storage: diskStorage({
destination: (req: Request, file: Express.Multer.File, cb: any) => {
const basePath = APP_UPLOAD_LOCATION;
// TODO these are currently not used. Shall we remove them?
// const fileInfo = req.body as CreateAssetDto;
// const yearInfo = new Date(fileInfo.createdAt).getFullYear();
// const monthInfo = new Date(fileInfo.createdAt).getMonth();
if (!req.user) {
return;
}
const originalUploadFolder = join(basePath, req.user.id, 'original', req.body['deviceId']);
const sanitizedDeviceId = sanitize(req.body['deviceId']);
const originalUploadFolder = join(basePath, req.user.id, 'original', sanitizedDeviceId);
if (!existsSync(originalUploadFolder)) {
mkdirSync(originalUploadFolder, { recursive: true });
@@ -41,8 +38,9 @@ export const assetUploadOption: MulterOptions = {
filename: (req: Request, file: Express.Multer.File, cb: any) => {
const fileNameUUID = randomUUID();
const fileName = `${fileNameUUID}${req.body['fileExtension'].toLowerCase()}`;
cb(null, `${fileNameUUID}${req.body['fileExtension'].toLowerCase()}`);
cb(null, sanitize(fileName));
},
}),
};

4
server/apps/immich/src/config/profile-image-upload.config.ts
View File

@@ -5,6 +5,7 @@ import { existsSync, mkdirSync } from 'fs';
import { diskStorage } from 'multer';
import { extname } from 'path';
import { Request } from 'express';
import sanitize from 'sanitize-filename';
export const profileImageUploadOption: MulterOptions = {
fileFilter: (req: Request, file: any, cb: any) => {
@@ -35,8 +36,9 @@ export const profileImageUploadOption: MulterOptions = {
return;
}
const userId = req.user.id;
const fileName = `${userId}${extname(file.originalname)}`;
cb(null, `${userId}${extname(file.originalname)}`);
cb(null, sanitize(fileName));
},
}),
};