Merge pull request from GHSA-p528-555r-pf87

Fix Relative Path Traversal Attack on note creation
2024-11-25 03:06:31 -05:00 · 2021-04-25 21:28:18 +02:00 · 2021-04-25 21:28:18 +02:00 · 59f669e593
commit 59f669e593
parent 6cda639eef 44b7f607a5
1 changed files with 3 additions and 3 deletions
--- a/lib/models/note.js
+++ b/lib/models/note.js
@ -94,7 +94,7 @@ module.exports = function (sequelize, DataTypes) {
            let body = null
            let filePath = null
            if (note.alias) {
-              filePath = path.join(config.docsPath, note.alias + '.md')
+              filePath = path.join(config.docsPath, path.basename(note.alias) + '.md')
            }
            if (!filePath || !Note.checkFileExist(filePath)) {
              filePath = config.defaultNotePath
@ -196,7 +196,7 @@ module.exports = function (sequelize, DataTypes) {
          }
        }).then(function (note) {
          if (note) {
-            const filePath = path.join(config.docsPath, noteId + '.md')
+            const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
            if (Note.checkFileExist(filePath)) {
              // if doc in filesystem have newer modified time than last change time
              // then will update the doc in db
@ -238,7 +238,7 @@ module.exports = function (sequelize, DataTypes) {
              return callback(null, note.id)
            }
          } else {
-            const filePath = path.join(config.docsPath, noteId + '.md')
+            const filePath = path.join(config.docsPath, path.basename(noteId) + '.md')
            if (Note.checkFileExist(filePath)) {
              Note.create({
                alias: noteId,