From 017df860e5c785e8207b1012629919ad5c618c9e Mon Sep 17 00:00:00 2001
From: Tony Ribeiro <tonyribeiro.research.aca@gmail.com>
Date: Thu, 24 Aug 2023 01:42:52 +0200
Subject: [PATCH] Sanitized character bgm request.

---
 public/scripts/extensions/audio/index.js |  2 +-
 server.js                                | 26 +++++++++++++++++++-----
 2 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/public/scripts/extensions/audio/index.js b/public/scripts/extensions/audio/index.js
index 859a1409d..4c73615fd 100644
--- a/public/scripts/extensions/audio/index.js
+++ b/public/scripts/extensions/audio/index.js
@@ -193,7 +193,7 @@ async function getCharacterBgmList(name) {
     console.debug(DEBUG_PREFIX, "getting bgm list for", name);
 
     try {
-        const result = await fetch(`/get_character_assets_list?name=${encodeURIComponent(name)}&assetsFolder=${CHARACTER_BGM_FOLDER}`, {
+        const result = await fetch(`/get_character_assets_list?name=${encodeURIComponent(name)}&category=${CHARACTER_BGM_FOLDER}`, {
             method: 'POST',
             headers: getRequestHeaders(),
         });
diff --git a/server.js b/server.js
index 3ac9c2032..80e35b39a 100644
--- a/server.js
+++ b/server.js
@@ -5117,10 +5117,23 @@ app.post('/asset_download', jsonParser, async (request, response) => {
  */
 app.post('/get_character_assets_list', jsonParser, async (request, response) => {
     const name = request.query.name;
-    const assetsFolder = request.query.assetsFolder
-    const folderPath = path.join(directories.characters, name, assetsFolder);
-    let output = [];
+    const inputCategory = request.query.category;
+    const validCategories = ["bgm","ambient"]
+    
+    // Check category
+    let category = null
+    for(i of validCategories)
+        if (i == inputCategory)
+            category = i
 
+    if (category === null) {
+        console.debug("Bad request: unsuported asset category.");
+        return response.sendStatus(400);
+    }
+
+    const folderPath = path.join(directories.characters, name, category);
+
+    let output = [];
     try {
         if (fs.existsSync(folderPath) && fs.statSync(folderPath).isDirectory()) {
             const files = fs.readdirSync(folderPath)
@@ -5129,13 +5142,16 @@ app.post('/get_character_assets_list', jsonParser, async (request, response) =>
             });
 
             for (i of files)
-                output.push(`/characters/${name}/${assetsFolder}/${i}`);
+                output.push(`/characters/${name}/${category}/${i}`);
+                
         }
+        return response.send(output);
     }
     catch (err) {
         console.log(err);
+        return response.sendStatus(500);
     }
     finally {
-        return response.send(output);
+        
     }
 });
\ No newline at end of file