CVE-2023-4897: prevent exports path traversal (#233) · Mintplex-Labs/anything-llm@3c88aec

Expand Up

@@ -24,6 +24,7 @@ const { User } = require(“…/models/user”);

const { validatedRequest } = require(“…/utils/middleware/validatedRequest”);

const { handleImports } = setupDataImports();

const { handleLogoUploads } = setupLogoUploads();

const fs = require(“fs”);

const path = require(“path”);

const {

getDefaultFilename,

Expand Down Expand Up

@@ -315,9 +316,21 @@ function systemEndpoints(app) {

"/system/data-exports/:filename",

[validatedRequest],

(request, response) => {

const filePath =

__dirname + “/…/storage/exports/” + request.params.filename;

response.download(filePath, request.params.filename, (err) => {

const exportLocation = __dirname + "/…/storage/exports/";

const sanitized = path

.normalize(request.params.filename)

.replace(/^(\.\.(\/|\\|$))+/, “”);

const finalDestination = path.join(exportLocation, sanitized);

if (!fs.existsSync(finalDestination)) {

response.status(404).json({

error: 404,

msg: `File ${request.params.filename} does not exist in exports.`,

});

return;

}

response.download(finalDestination, request.params.filename, (err) => {

if (err) {

response.send({

error: err,

Expand Down Expand Up

@@ -448,13 +461,11 @@ function systemEndpoints(app) {

response.status(200).json({ canDelete });

} catch (error) {

console.error("Error fetching can delete workspaces:", error);

response

.status(500)

.json({

success: false,

message: "Internal server error",

canDelete: false,

});

response.status(500).json({

success: false,

message: "Internal server error",

canDelete: false,

});

}

}

);

Expand Down