sinvo/docmost
1
0
Fork 0
mirror of https://github.com/docmost/docmost.git synced 2026-05-14 04:24:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: refactor sanitize

Browse Source
This commit is contained in:
Philipinho
2026-04-27 15:16:26 +01:00
parent a573acedd0
commit ec83fc82d5
7 changed files with 64 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/server/src/core/attachment/attachment.controller.ts
+10 -5
View File
@@ -53,7 +53,6 @@ import { EnvironmentService } from '../../integrations/environment/environment.s
import { TokenService } from '../auth/services/token.service';
import { JwtAttachmentPayload, JwtType } from '../auth/dto/jwt-payload';
import * as path from 'path';
import { sanitize } from 'sanitize-filename-ts';
import { AttachmentInfoDto, RemoveIconDto } from './dto/attachment.dto';
import { PageAccessService } from '../page/page-access/page-access.service';
import { AuditEvent, AuditResource } from '../../common/events/audit-events';
@@ -357,13 +356,19 @@ export class AttachmentController {
throw new BadRequestException('Invalid image attachment type');
}
if (!fileName || sanitize(fileName) !== fileName) {
if (!fileName) {
throw new BadRequestException('Invalid file name');
}
const filenameWithoutExt = path.basename(fileName, path.extname(fileName));
if (!isValidUUID(filenameWithoutExt)) {
throw new BadRequestException('Invalid file id');
const ext = path.extname(fileName);
const filenameWithoutExt = path.basename(fileName, ext);
if (
!ext ||
!isValidUUID(filenameWithoutExt) ||
`${filenameWithoutExt}${ext}` !== fileName
) {
throw new BadRequestException('Invalid file name');
}
const filePath = `${getAttachmentFolderPath(attachmentType, workspace.id)}/${fileName}`;