CHANGELOG.md

@@ -1,3 +1,10 @@
+## [0.510.3](https://github.com/lightdash/lightdash/compare/0.510.2...0.510.3) (2023-04-14)
+
+
+### Bug Fixes
+
+* add extra security to file endpoints ([#5090](https://github.com/lightdash/lightdash/issues/5090)) ([fcc808c](https://github.com/lightdash/lightdash/commit/fcc808c84c2cc3afb343063e32a49440d32a553c))
+
 ## [0.510.2](https://github.com/lightdash/lightdash/compare/0.510.1...0.510.2) (2023-04-14)
 
 

package.json

@@ -1,6 +1,6 @@
 {
     "name": "lightdash",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "main": "index.js",
     "license": "MIT",
     "private": true,

packages/backend/package.json

@@ -1,6 +1,6 @@
 {
     "name": "backend",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "main": "dist/index",
     "license": "MIT",
     "devDependencies": {
@@ -29,8 +29,8 @@
         "@aws-sdk/lib-storage": "^3.306.0",
         "@aws-sdk/s3-request-presigner": "^3.272.0",
         "@casl/ability": "^5.4.3",
-        "@lightdash/common": "^0.510.2",
-        "@lightdash/warehouses": "^0.510.2",
+        "@lightdash/common": "^0.510.3",
+        "@lightdash/warehouses": "^0.510.3",
         "@rudderstack/rudder-sdk-node": "^1.1.3",
         "@sentry/node": "^7.37.2",
         "@sentry/tracing": "^7.37.2",

packages/backend/src/routers/projectRouter.ts

@@ -242,21 +242,20 @@ projectRouter.get(
 
     async (req, res, next) => {
         try {
-            if (!req.params.fileId.startsWith('csv-')) {
-                throw new NotFoundError(
-                    `CSV file not found ${req.params.fileId}`,
-                );
+            const { fileId } = req.params;
+
+            if (!fileId.startsWith('csv-') || !fileId.endsWith('.csv')) {
+                throw new NotFoundError(`CSV file not found ${fileId}`);
             }
-            const filePath = path.join('/tmp', req.params.fileId);
+            const sanitizedFileId = fileId.replace('..', '');
+
+            const filePath = path.join('/tmp', sanitizedFileId);
             if (!fs.existsSync(filePath)) {
-                const error = `This file ${req.params.fileId} doesn't exist on this server, this may be happening if you are running multiple containers or because files are not persisted. You can check out our docs to learn more on how to enable cloud storage: https://docs.lightdash.com/self-host/customize-deployment/configure-lightdash-to-use-external-object-storage`;
+                const error = `This file ${fileId} doesn't exist on this server, this may be happening if you are running multiple containers or because files are not persisted. You can check out our docs to learn more on how to enable cloud storage: https://docs.lightdash.com/self-host/customize-deployment/configure-lightdash-to-use-external-object-storage`;
                 throw new NotFoundError(error);
             }
             res.set('Content-Type', 'text/csv');
-            res.set(
-                'Content-Disposition',
-                `attachment; filename=${req.params.fileId}`,
-            );
+            res.set('Content-Disposition', `attachment; filename=${fileId}`);
             res.sendFile(filePath);
         } catch (error) {
             next(error);

packages/backend/src/routers/slackRouter.ts

@@ -58,14 +58,20 @@ slackRouter.get(
 
     async (req, res, next) => {
         try {
-            if (!req.params.imageId.startsWith('slack-image')) {
+            const { imageId } = req.params;
+            if (
+                !imageId.startsWith('slack-image') ||
+                !imageId.endsWith('.png')
+            ) {
                 throw new NotFoundError(
                     `Slack image not found ${req.params.imageId}`,
                 );
             }
-            const filePath = path.join('/tmp', req.params.imageId);
+            const sanitizedImageId = imageId.replace('..', '');
+
+            const filePath = path.join('/tmp', sanitizedImageId);
             if (!fs.existsSync(filePath)) {
-                const error = `This file ${req.params.imageId} doesn't exist on this server, this may be happening if you are running multiple containers or because files are not persisted. You can check out our docs to learn more on how to enable cloud storage: https://docs.lightdash.com/self-host/customize-deployment/configure-lightdash-to-use-external-object-storage`;
+                const error = `This file ${imageId} doesn't exist on this server, this may be happening if you are running multiple containers or because files are not persisted. You can check out our docs to learn more on how to enable cloud storage: https://docs.lightdash.com/self-host/customize-deployment/configure-lightdash-to-use-external-object-storage`;
                 throw new NotFoundError(error);
             }
             res.sendFile(filePath);

packages/cli/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@lightdash/cli",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "license": "MIT",
     "bin": {
         "lightdash": "dist/index.js"
@@ -10,8 +10,8 @@
         "track.sh"
     ],
     "dependencies": {
-        "@lightdash/common": "^0.510.2",
-        "@lightdash/warehouses": "^0.510.2",
+        "@lightdash/common": "^0.510.3",
+        "@lightdash/warehouses": "^0.510.3",
         "ajv": "^8.11.0",
         "ajv-formats": "^2.1.1",
         "better-ajv-errors": "^1.2.0",

packages/common/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@lightdash/common",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
     "files": [

packages/e2e/package.json

@@ -1,6 +1,6 @@
 {
     "name": "e2e",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "main": "index.js",
     "license": "MIT",
     "scripts": {
@@ -19,6 +19,6 @@
         "cypress": "^12.5.1",
         "cypress-file-upload": "^5.0.8",
         "node-fetch": "^2.6.1",
-        "@lightdash/common": "^0.510.2"
+        "@lightdash/common": "^0.510.3"
     }
 }

packages/frontend/package.json

@@ -1,6 +1,6 @@
 {
     "name": "frontend",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "private": true,
     "dependencies": {
         "@blueprintjs/core": "^4.16.3",
@@ -13,7 +13,7 @@
         "@emotion/react": "^11.10.6",
         "@fullstory/browser": "^1.6.2",
         "@hookform/error-message": "^2.0.0",
-        "@lightdash/common": "^0.510.2",
+        "@lightdash/common": "^0.510.3",
         "@mantine/core": "^6.0.5",
         "@mantine/form": "^6.0.5",
         "@mantine/hooks": "^6.0.5",

packages/frontend/src/components/ExploreFromHereButton/index.tsx

@@ -1,4 +1,5 @@
 import { subject } from '@casl/ability';
+import { IconTelescope } from '@tabler/icons-react';
 import { useMemo } from 'react';
 import { getExplorerUrlFromCreateSavedChartVersion } from '../../hooks/useExplorerRoute';
 import { useApp } from '../../providers/AppProvider';
@@ -36,7 +37,7 @@ const ExploreFromHereButton = () => {
         <StyledLinkButton
             intent="primary"
             large
-            icon="series-search"
+            icon={<IconTelescope size={16} />}
             href={exploreFromHereUrl}
         >
             Explore from here

packages/frontend/src/components/Explorer/SavedChartsHeader/index.tsx

@@ -8,7 +8,7 @@ import {
 } from '@blueprintjs/core';
 import { MenuItem2, Popover2, Tooltip2 } from '@blueprintjs/popover2';
 import { subject } from '@casl/ability';
-import { IconPencil } from '@tabler/icons-react';
+import { IconDots, IconPencil } from '@tabler/icons-react';
 import { FC, useEffect, useState } from 'react';
 import { useHistory, useLocation, useParams } from 'react-router-dom';
 import { useToggle } from 'react-use';
@@ -237,7 +237,7 @@ const SavedChartsHeader: FC = () => {
                         {!isEditMode ? (
                             <>
                                 <Button
-                                    icon="edit"
+                                    icon={<IconPencil size={16} />}
                                     onClick={() =>
                                         history.push({
                                             pathname: `/projects/${savedChart?.projectUuid}/saved/${savedChart?.uuid}/edit`,
@@ -374,7 +374,8 @@ const SavedChartsHeader: FC = () => {
                             }
                         >
                             <Button
-                                icon="more"
+                                style={{ padding: '5px 7px' }}
+                                icon={<IconDots size={16} />}
                                 disabled={!unsavedChartVersion.tableName}
                             />
                         </Popover2>

packages/frontend/src/components/ShareLinkButton/index.tsx

@@ -1,3 +1,4 @@
+import { IconLink } from '@tabler/icons-react';
 import { FC } from 'react';
 import CopyToClipboard from 'react-copy-to-clipboard';
 import useToaster from '../../hooks/toaster/useToaster';
@@ -15,7 +16,7 @@ const ShareLinkButton: FC<{ url: string }> = ({ url }) => {
                 })
             }
         >
-            <ShareLink icon="link" />
+            <ShareLink icon={<IconLink size={16} />} />
         </CopyToClipboard>
     );
 };

packages/frontend/src/components/common/Dashboard/DashboardHeader.tsx

@@ -1,7 +1,7 @@
 import { Button, Classes, Divider, Intent, Menu } from '@blueprintjs/core';
 import { MenuItem2, Popover2, Tooltip2 } from '@blueprintjs/popover2';
 import { Dashboard, Space, UpdatedByUser } from '@lightdash/common';
-import { IconPencil } from '@tabler/icons-react';
+import { IconDots, IconPencil } from '@tabler/icons-react';
 import { useEffect, useState } from 'react';
 import { useHistory, useLocation, useParams } from 'react-router-dom';
 import { useToggle } from 'react-use';
@@ -188,7 +188,7 @@ const DashboardHeader = ({
             ) : userCanManageDashboard ? (
                 <PageActionsContainer>
                     <Button
-                        icon="edit"
+                        icon={<IconPencil size={16} />}
                         text="Edit dashboard"
                         onClick={() => {
                             history.replace(
@@ -287,7 +287,10 @@ const DashboardHeader = ({
                             </Menu>
                         }
                     >
-                        <Button icon="more" />
+                        <Button
+                            style={{ padding: '5px 7px' }}
+                            icon={<IconDots size={16} />}
+                        />
                     </Popover2>
 
                     {isCreatingNewSpace && (

packages/frontend/src/components/common/ShareShortLinkButton/index.tsx

@@ -1,3 +1,4 @@
+import { IconLink } from '@tabler/icons-react';
 import copy from 'copy-to-clipboard';
 import React, { FC, useEffect } from 'react';
 import { useLocation } from 'react-router-dom';
@@ -36,7 +37,7 @@ const ShareShortLinkButton: FC<{ disabled?: boolean }> = ({ disabled }) => {
                 createShareUrl(shareUrl);
             }}
             disabled={isDisabled}
-            icon="link"
+            icon={<IconLink size={16} />}
         />
     );
 };

packages/warehouses/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@lightdash/warehouses",
-    "version": "0.510.2",
+    "version": "0.510.3",
     "license": "MIT",
     "main": "dist/index.js",
     "types": "dist/index.d.ts",
@@ -11,7 +11,7 @@
         "@databricks/sql": "1.1.0",
         "trino-client": "^0.2.0",
         "@google-cloud/bigquery": "^5.9.1",
-        "@lightdash/common": "^0.510.2",
+        "@lightdash/common": "^0.510.3",
         "lodash": "^4.17.21",
         "pg": "^8.7.1",
         "snowflake-sdk": "^1.6.20"