@actual-app/sync-server 25.11.0-nightly.20251026 → 25.11.0-nightly.20251028

package/build/src/app-sync.js

@@ -1,6 +1,7 @@
 // @ts-strict-ignore
 import { Buffer } from 'node:buffer';
 import fs from 'node:fs/promises';
+import { resolve } from 'node:path';
 import { SyncProtoBuf } from '@actual-app/crdt';
 import express from 'express';
 import { v4 as uuidv4 } from 'uuid';
@@ -226,8 +227,14 @@ app.get('/download-user-file', async (req, res) => {
     if (!verifyFileExists(fileId, filesService, res, 'User or file not found')) {
         return;
     }
+    const path = getPathForUserFile(fileId);
+    if (!path.startsWith(resolve(config.get('userFiles')))) {
+        //Ensure the user doesn't try to access files outside of the user files directory
+        res.status(403).send('Access denied');
+        return;
+    }
     res.setHeader('Content-Disposition', `attachment;filename=${fileId}`);
-    res.sendFile(getPathForUserFile(fileId));
+    res.sendFile(path, { dotfiles: 'allow' });
 });
 app.post('/update-user-filename', (req, res) => {
     const { fileId, name } = req.body || {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@actual-app/sync-server",
-  "version": "25.11.0-nightly.20251026",
+  "version": "25.11.0-nightly.20251028",
   "license": "MIT",
   "description": "actual syncing server",
   "bin": {
@@ -28,7 +28,7 @@
   },
   "dependencies": {
     "@actual-app/crdt": "2.1.0",
-    "@actual-app/web": "25.11.0-nightly.20251026",
+    "@actual-app/web": "25.11.0-nightly.20251028",
     "bcrypt": "^6.0.0",
     "better-sqlite3": "^12.4.1",
     "convict": "^6.2.4",