Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-wcr3-xhv7-8gxc
Fix arbitrary file upload
  • Loading branch information
davidmehren committed Dec 27, 2020
2 parents 58276eb + 6932cc4 commit e930699
Show file tree
Hide file tree
Showing 4 changed files with 333 additions and 55 deletions.
11 changes: 10 additions & 1 deletion lib/web/imageRouter/filesystem.js
@@ -1,6 +1,7 @@
'use strict'
const URL = require('url').URL
const path = require('path')
const fs = require('fs')

const config = require('../../config')
const logger = require('../../logger')
Expand All @@ -16,5 +17,13 @@ exports.uploadImage = function (imagePath, callback) {
return
}

callback(null, (new URL(path.basename(imagePath), config.serverURL + '/uploads/')).href)
const fileName = path.basename(imagePath)
// move image from temporary path to upload directory
try {
fs.copyFileSync(imagePath, path.join(config.uploadsPath, fileName))
} catch (e) {
callback(new Error('Error while moving file'), null)
return
}
callback(null, (new URL(fileName, config.serverURL + '/uploads/')).href)
}
51 changes: 42 additions & 9 deletions lib/web/imageRouter/index.js
Expand Up @@ -2,33 +2,66 @@

const Router = require('express').Router
const formidable = require('formidable')
const path = require('path')
const FileType = require('file-type')
const fs = require('fs')
const os = require('os')
const rimraf = require('rimraf')

const config = require('../../config')
const logger = require('../../logger')
const errors = require('../../errors')

const imageRouter = module.exports = Router()

async function checkUploadType (filePath) {
const typeFromMagic = await FileType.fromFile(filePath)
if (typeFromMagic === undefined) {
logger.error(`Image upload error: Could not determine MIME-type`)
return false
}
if (path.extname(filePath) !== '.' + typeFromMagic.ext) {
logger.error(`Image upload error: Provided file extension does not match MIME-type`)
return false
}
if (!config.allowedUploadMimeTypes.includes(typeFromMagic.mime)) {
logger.error(`Image upload error: MIME-type "${typeFromMagic.mime}" of uploaded file not allowed, only "${config.allowedUploadMimeTypes.join(', ')}" are allowed`)
return false
}
return true
}

// upload image
imageRouter.post('/uploadimage', function (req, res) {
var form = new formidable.IncomingForm()
if (!req.isAuthenticated() && !config.allowAnonymous && !config.allowAnonymousEdits) {
logger.error(`Image upload error: Anonymous edits and therefore uploads are not allowed)`)
return errors.errorForbidden(res)
}

var form = new formidable.IncomingForm()
form.keepExtensions = true
const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), 'hedgedoc-'))
form.uploadDir = tmpDir

if (config.imageUploadType === 'filesystem') {
form.uploadDir = config.uploadsPath
}

form.parse(req, function (err, fields, files) {
if (err || !files.image || !files.image.path) {
logger.error(`formidable error: ${err}`)
errors.errorForbidden(res)
form.parse(req, async function (err, fields, files) {
if (err) {
logger.error(`Image upload error: formidable error: ${err}`)
rimraf(tmpDir)
return errors.errorForbidden(res)
} else if (!files.image || !files.image.path) {
logger.error(`Image upload error: Upload didn't contain file)`)
rimraf.sync(tmpDir)
return errors.errorBadRequest(res)
} else if (!await checkUploadType(files.image.path)) {
rimraf.sync(tmpDir)
return errors.errorBadRequest(res)
} else {
logger.debug(`SERVER received uploadimage: ${JSON.stringify(files.image)}`)

const uploadProvider = require('./' + config.imageUploadType)
logger.debug(`imageRouter: Uploading ${files.image.path} using ${config.imageUploadType}`)
uploadProvider.uploadImage(files.image.path, function (err, url) {
rimraf.sync(tmpDir)
if (err !== null) {
logger.error(err)
return res.status(500).end('upload image error')
Expand Down
2 changes: 2 additions & 0 deletions package.json
Expand Up @@ -43,6 +43,7 @@
"express": ">=4.14",
"express-session": "^1.14.2",
"file-saver": "^1.3.3",
"file-type": "^16.1.0",
"flowchart.js": "^1.6.4",
"fork-awesome": "^1.1.3",
"formidable": "^1.0.17",
Expand Down Expand Up @@ -111,6 +112,7 @@
"readline-sync": "^1.4.7",
"request": "^2.88.0",
"reveal.js": "^3.9.2",
"rimraf": "^3.0.2",
"scrypt-async": "^2.0.1",
"scrypt-kdf": "^2.0.1",
"select2": "^3.5.2-browserify",
Expand Down

0 comments on commit e930699

Please sign in to comment.