rixty
/
SillyTavern
mirror of https://github.com/SillyTavern/SillyTavern.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Move sanitize call inside validation function 

Also rename it (again) to validateAssetFileName.
This commit is contained in:
valadaptive 2023-12-05 17:35:11 -05:00
parent 100dae5fd0
commit 41d427f4a8
2 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/endpoints/assets.js
View File

@ -10,11 +10,11 @@ const { jsonParser } = require('../express-common');
const VALID_CATEGORIES = ['bgm', 'ambient', 'blip', 'live2d'];
/**
* Sanitizes the input filename for theasset.
* Validates the input filename for the asset.
* @param {string} inputFilename Input filename
* @returns {string} Normalized or empty path if invalid
*/
function sanitizeAssetFileName(inputFilename) {
function validateAssetFileName(inputFilename) {
if (!/^[a-zA-Z0-9_\-.]+$/.test(inputFilename)) {
console.debug('Bad request: illegal character in filename, only alphanumeric, \'_\', \'-\' are accepted.');
return '';
@ -31,6 +31,11 @@ function sanitizeAssetFileName(inputFilename) {
return '';
}
if (sanitize(inputFilename) !== inputFilename) {
console.debug('Bad request: reserved or long filename');
return '';
}
return inputFilename;
}
@ -124,7 +129,6 @@ router.post('/get', jsonParser, async (_, response) => {
router.post('/download', jsonParser, async (request, response) => {
const url = request.body.url;
const inputCategory = request.body.category;
const inputFilename = sanitize(request.body.filename);
// Check category
let category = null;
@ -138,7 +142,7 @@ router.post('/download', jsonParser, async (request, response) => {
}
// Sanitize filename
const safe_input = sanitizeAssetFileName(inputFilename);
const safe_input = validateAssetFileName(request.body.filename);
if (safe_input == '')
return response.sendStatus(400);
@ -183,7 +187,6 @@ router.post('/download', jsonParser, async (request, response) => {
*/
router.post('/delete', jsonParser, async (request, response) => {
const inputCategory = request.body.category;
const inputFilename = sanitize(request.body.filename);
// Check category
let category = null;
@ -197,7 +200,7 @@ router.post('/delete', jsonParser, async (request, response) => {
}
// Sanitize filename
const safe_input = sanitizeAssetFileName(inputFilename);
const safe_input = validateAssetFileName(request.body.filename);
if (safe_input == '')
return response.sendStatus(400);
@ -236,6 +239,7 @@ router.post('/delete', jsonParser, async (request, response) => {
*/
router.post('/character', jsonParser, async (request, response) => {
if (request.query.name === undefined) return response.sendStatus(400);
// For backwards compatibility, don't reject invalid character names, just sanitize them
const name = sanitize(request.query.name.toString());
const inputCategory = request.query.category;
@ -289,4 +293,4 @@ router.post('/character', jsonParser, async (request, response) => {
}
});
module.exports = { router, sanitizeAssetFileName };
module.exports = { router, validateAssetFileName };

4
src/endpoints/files.js
View File

@ -2,7 +2,7 @@ const path = require('path');
const writeFileSyncAtomic = require('write-file-atomic').sync;
const express = require('express');
const router = express.Router();
const { sanitizeAssetFileName } = require('./assets');
const { validateAssetFileName } = require('./assets');
const { jsonParser } = require('../express-common');
const { DIRECTORIES } = require('../constants');
@ -16,7 +16,7 @@ router.post('/upload', jsonParser, async (request, response) => {
return response.status(400).send('No upload data specified');
}
const safeInput = sanitizeAssetFileName(request.body.name);
const safeInput = validateAssetFileName(request.body.name);
if (!safeInput) {
return response.status(400).send('Invalid upload name');