@reldens/server-utils 0.7.0 → 0.9.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/file-handler.js +2 -6
- package/lib/uploader-factory.js +9 -5
- package/package.json +1 -1
package/lib/file-handler.js
CHANGED
|
@@ -37,10 +37,7 @@ class FileHandler
|
|
|
37
37
|
return false;
|
|
38
38
|
}
|
|
39
39
|
let pathStr = String(filePath);
|
|
40
|
-
|
|
41
|
-
return false;
|
|
42
|
-
}
|
|
43
|
-
return true;
|
|
40
|
+
return !(pathStr.includes('../') || pathStr.includes('..\\'));
|
|
44
41
|
}
|
|
45
42
|
|
|
46
43
|
sanitizePath(filePath)
|
|
@@ -48,11 +45,10 @@ class FileHandler
|
|
|
48
45
|
if(!filePath){
|
|
49
46
|
return '';
|
|
50
47
|
}
|
|
51
|
-
|
|
48
|
+
return String(filePath)
|
|
52
49
|
.replace(/\.\./g, '')
|
|
53
50
|
.replace(/[:*?"<>|]/g, '')
|
|
54
51
|
.substring(0, 255);
|
|
55
|
-
return sanitized;
|
|
56
52
|
}
|
|
57
53
|
|
|
58
54
|
generateSecureFilename(originalName)
|
package/lib/uploader-factory.js
CHANGED
|
@@ -17,6 +17,7 @@ class UploaderFactory
|
|
|
17
17
|
this.maxFileSize = props.maxFileSize || 20 * 1024 * 1024;
|
|
18
18
|
this.fileLimit = props.fileLimit || 0;
|
|
19
19
|
this.allowedExtensions = props.allowedExtensions;
|
|
20
|
+
this.applySecureFileNames = props.applySecureFileNames;
|
|
20
21
|
}
|
|
21
22
|
|
|
22
23
|
createUploader(fields, buckets, allowedFileTypes)
|
|
@@ -24,7 +25,7 @@ class UploaderFactory
|
|
|
24
25
|
if(!this.validateInputs(fields, buckets, allowedFileTypes)){
|
|
25
26
|
throw new Error('Invalid uploader configuration: ' + this.error.message);
|
|
26
27
|
}
|
|
27
|
-
let
|
|
28
|
+
let diskStorageConfiguration = {
|
|
28
29
|
destination: (req, file, cb) => {
|
|
29
30
|
let dest = buckets[file.fieldname];
|
|
30
31
|
if(!FileHandler.isValidPath(dest)){
|
|
@@ -32,16 +33,19 @@ class UploaderFactory
|
|
|
32
33
|
}
|
|
33
34
|
FileHandler.createFolder(dest);
|
|
34
35
|
cb(null, dest);
|
|
35
|
-
}
|
|
36
|
-
|
|
36
|
+
}
|
|
37
|
+
};
|
|
38
|
+
if(this.applySecureFileNames){
|
|
39
|
+
diskStorageConfiguration['filename'] = (req, file, cb) => {
|
|
37
40
|
let secureFilename = FileHandler.generateSecureFilename(file.originalname);
|
|
38
41
|
if(!req.fileNameMapping){
|
|
39
42
|
req.fileNameMapping = {};
|
|
40
43
|
}
|
|
41
44
|
req.fileNameMapping[secureFilename] = file.originalname;
|
|
42
45
|
cb(null, secureFilename);
|
|
43
|
-
}
|
|
44
|
-
}
|
|
46
|
+
};
|
|
47
|
+
}
|
|
48
|
+
let storage = multer.diskStorage(diskStorageConfiguration);
|
|
45
49
|
let limits = {
|
|
46
50
|
fileSize: this.maxFileSize
|
|
47
51
|
};
|