@nocobase/plugin-file-manager 2.1.0-alpha.45 → 2.1.0-alpha.46

package/dist/server/actions/storage-validation.js

@@ -0,0 +1,73 @@
+/**
+ * This file is part of the NocoBase (R) project.
+ * Copyright (c) 2020-2024 NocoBase Co., Ltd.
+ * Authors: NocoBase Team.
+ *
+ * This project is dual-licensed under AGPL-3.0 and NocoBase Commercial License.
+ * For more information, please refer to: https://www.nocobase.com/agreement.
+ */
+
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var storage_validation_exports = {};
+__export(storage_validation_exports, {
+  validateStorageMiddleware: () => validateStorageMiddleware
+});
+module.exports = __toCommonJS(storage_validation_exports);
+var import_local = require("../storages/local");
+async function validateStorageMiddleware(ctx, next) {
+  const { actionName, params } = ctx.action;
+  const values = params.values || {};
+  let storage = values;
+  const hasSubmittedDocumentRoot = Object.prototype.hasOwnProperty.call(values.options || {}, "documentRoot");
+  if (actionName === "update" && params.filterByTk) {
+    const repository = ctx.db.getRepository("storages");
+    let existing = await repository.findById(params.filterByTk);
+    if (!existing) {
+      existing = await repository.findOne({
+        filter: {
+          name: params.filterByTk
+        }
+      });
+    }
+    if (existing) {
+      const existingValues = existing.toJSON();
+      storage = {
+        ...existingValues,
+        ...values,
+        options: {
+          ...existingValues.options || {},
+          ...values.options || {}
+        }
+      };
+    }
+  }
+  try {
+    (0, import_local.validateLocalStorageConfig)(storage, { validateDocumentRoot: hasSubmittedDocumentRoot });
+  } catch (error) {
+    if (error.code === "PATH_TRAVERSAL") {
+      return ctx.throw(400, error.message);
+    }
+    throw error;
+  }
+  await next();
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  validateStorageMiddleware
+});

package/dist/server/server.js

@@ -216,6 +216,9 @@ class PluginFileManagerServer extends import_server.Plugin {
     this.storageTypes.register(import_constants.STORAGE_TYPE_S3, import_s3.default);
     this.storageTypes.register(import_constants.STORAGE_TYPE_TX_COS, import_tx_cos.default);
     const Storage = this.db.getModel("storages");
+    Storage.beforeSave((m) => {
+      (0, import_local.validateLocalStorageConfig)(m.toJSON());
+    });
     Storage.afterSave(async (m, { transaction }) => {
       await this.loadStorages({ transaction });
       this.sendSyncMessage({ type: "reloadStorages" }, { transaction });

package/dist/server/storages/local.d.ts

@@ -10,8 +10,12 @@
 import multer from 'multer';
 import type { Readable } from 'stream';
 import { AttachmentModel, StorageType } from '.';
+export declare function normalizeLocalStoragePath(storagePath?: unknown): string;
 export declare function getDocumentRoot(storage: any): string;
 export declare function resolveSafePath(documentRoot: string, filePath?: string, filename?: string): string;
+export declare function validateLocalStorageConfig(storage: Pick<StorageType['storage'], 'type' | 'options' | 'path'>, { validateDocumentRoot }?: {
+    validateDocumentRoot?: boolean;
+}): void;
 export default class extends StorageType {
     static defaults(): {
         title: string;

package/dist/server/storages/local.js

@@ -38,7 +38,9 @@ var local_exports = {};
 __export(local_exports, {
   default: () => local_default,
   getDocumentRoot: () => getDocumentRoot,
-  resolveSafePath: () => resolveSafePath
+  normalizeLocalStoragePath: () => normalizeLocalStoragePath,
+  resolveSafePath: () => resolveSafePath,
+  validateLocalStorageConfig: () => validateLocalStorageConfig
 });
 module.exports = __toCommonJS(local_exports);
 var import_utils = require("@nocobase/utils");
@@ -51,25 +53,64 @@ var import__ = require(".");
 var import_constants = require("../../constants");
 var import_utils2 = require("../utils");
 const DEFAULT_BASE_URL = "/storage/uploads";
+function pathError(message) {
+  const error = new Error(message);
+  error.code = "PATH_TRAVERSAL";
+  return error;
+}
+function isInside(base, target) {
+  const relative = import_path.default.relative(base, target);
+  return !relative.startsWith("..") && !import_path.default.isAbsolute(relative);
+}
+function resolveDocumentRoot(documentRoot) {
+  if (typeof documentRoot !== "string" || !documentRoot || documentRoot.includes("\0")) {
+    throw pathError("Invalid local storage document root");
+  }
+  return (0, import_utils2.normalizeDocumentRoot)(documentRoot);
+}
+function allowedRoots() {
+  var _a;
+  const roots = [(0, import_utils.storagePathJoin)()];
+  const extra = [process.env.LOCAL_STORAGE_DEST, ...((_a = process.env.LOCAL_STORAGE_ALLOWED_ROOTS) == null ? void 0 : _a.split(",")) ?? []];
+  for (const item of extra) {
+    if (item == null ? void 0 : item.trim()) {
+      roots.push(resolveDocumentRoot(item.trim()));
+    }
+  }
+  return roots;
+}
+function normalizeLocalStoragePath(storagePath) {
+  if (storagePath == null || storagePath === "") {
+    return "";
+  }
+  if (typeof storagePath !== "string" || storagePath.includes("\0")) {
+    throw pathError("Invalid local storage path");
+  }
+  return storagePath.replace(/\\/g, "/").replace(/^\/+/, "");
+}
 function getDocumentRoot(storage) {
   var _a;
   const raw = ((_a = storage == null ? void 0 : storage.options) == null ? void 0 : _a.documentRoot) ?? process.env.LOCAL_STORAGE_DEST ?? (0, import_utils.storagePathJoin)("uploads");
-  if (import_path.default.isAbsolute(raw)) {
-    return raw;
-  }
-  return (0, import_utils2.normalizeDocumentRoot)(raw);
+  return resolveDocumentRoot(raw);
 }
 function resolveSafePath(documentRoot, filePath, filename) {
-  const root = (0, import_utils2.normalizeDocumentRoot)(documentRoot);
+  const root = resolveDocumentRoot(documentRoot);
   const target = import_path.default.resolve(root, filePath || "", filename || "");
-  const relative = import_path.default.relative(root, target);
-  if (relative.startsWith("..") || import_path.default.isAbsolute(relative)) {
-    const error = new Error("Access denied");
-    error.code = "PATH_TRAVERSAL";
-    throw error;
+  if (!isInside(root, target)) {
+    throw pathError("Access denied");
   }
   return target;
 }
+function validateLocalStorageConfig(storage, { validateDocumentRoot = false } = {}) {
+  if (storage.type !== import_constants.STORAGE_TYPE_LOCAL) {
+    return;
+  }
+  const root = getDocumentRoot(storage);
+  if (validateDocumentRoot && !allowedRoots().some((allowed) => isInside(allowed, root))) {
+    throw pathError("Invalid local storage document root");
+  }
+  resolveSafePath(root, normalizeLocalStoragePath(storage.path));
+}
 class local_default extends import__.StorageType {
   static defaults() {
     return {
@@ -89,7 +130,7 @@ class local_default extends import__.StorageType {
   make() {
     return import_multer.default.diskStorage({
       destination: (req, file, cb) => {
-        const destPath = import_path.default.join(getDocumentRoot(this.storage), this.storage.path || "");
+        const destPath = resolveSafePath(getDocumentRoot(this.storage), normalizeLocalStoragePath(this.storage.path));
         const mkdirp = require("mkdirp");
         mkdirp(destPath, (err) => cb(err, destPath));
       },
@@ -162,5 +203,7 @@ class local_default extends import__.StorageType {
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
   getDocumentRoot,
-  resolveSafePath
+  normalizeLocalStoragePath,
+  resolveSafePath,
+  validateLocalStorageConfig
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@nocobase/plugin-file-manager",
-  "version": "2.1.0-alpha.45",
+  "version": "2.1.0-alpha.46",
   "displayName": "File manager",
   "displayName.ru-RU": "Менеджер файлов",
   "displayName.zh-CN": "文件管理器",
@@ -60,5 +60,5 @@
     "Collections",
     "Collection fields"
   ],
-  "gitHead": "e9e24987e12d0ad10a5db8815b1e1b7b447f1938"
+  "gitHead": "42b269944cdd1908d7a848c0af4936fe94c03bb7"
 }