dbgate-api
Version:
Allows run DbGate data-manipulation scripts.
53 lines (46 loc) • 1.63 kB
JavaScript
const path = require('path');
const { filesdir, archivedir, uploadsdir, appdir } = require('../utility/directories');
function checkSecureFilePathsWithoutDirectory(...filePaths) {
for (const filePath of filePaths) {
if (filePath.includes('..') || filePath.includes('/') || filePath.includes('\\')) {
return false;
}
}
return true;
}
function checkSecureDirectories(...filePaths) {
for (const filePath of filePaths) {
if (!filePath.includes('/') && !filePath.includes('\\')) {
// If the filePath does not contain any directory separators, it is considered secure
continue;
}
const directory = path.dirname(filePath);
if (directory != filesdir() && directory != uploadsdir() && directory != archivedir() && directory != appdir()) {
return false;
}
}
return true;
}
function findDisallowedFileNames(node, isAllowed, trace = '$', out = []) {
if (node && typeof node === 'object') {
if (node?.props?.fileName) {
const name = node.props.fileName;
const ok = isAllowed(name);
if (!ok) out.push({ path: `${trace}.props.fileName`, value: name });
}
// depth-first scan of every property / array index
for (const [key, val] of Object.entries(node)) {
findDisallowedFileNames(val, isAllowed, `${trace}.${key}`, out);
}
}
return out;
}
function checkSecureDirectoriesInScript(script) {
const disallowed = findDisallowedFileNames(script, checkSecureDirectories);
return disallowed.length == 0;
}
module.exports = {
checkSecureDirectories,
checkSecureFilePathsWithoutDirectory,
checkSecureDirectoriesInScript,
};