Merge branch 'staging' of https://github.com/Tony-sama/SillyTavern into staging

2023-08-24 22:18:01 +02:00 · 2023-08-24 22:18:01 +02:00 · 47a35076db
parent 1014d592f7 b914921bf7
commit 47a35076db
2 changed files with 92 additions and 1 deletions
--- a/server.js
+++ b/server.js
@ -5094,6 +5094,16 @@ app.post('/asset_download', jsonParser, async (request, response) => {
        return response.sendStatus(400);
    }

+    if (contentManager.unsafeExtensions.some(ext => inputFilename.toLowerCase().endsWith(ext))) {
+        console.debug("Bad request: forbidden file extension.");
+        return response.sendStatus(400);
+    }
+
+    if (inputFilename.startsWith('.')) {
+        console.debug("Bad request: filename cannot start with '.'");
+        return response.sendStatus(400);
+    }
+
    const safe_input = path.normalize(inputFilename).replace(/^(\.\.(\/|\\|$))+/, '');
    const temp_path = path.join(directories.assets, "temp", safe_input)
    const file_path = path.join(directories.assets, category, safe_input)
@ -5103,6 +5113,9 @@ app.post('/asset_download', jsonParser, async (request, response) => {
        // Download to temp
        const downloadFile = (async (url, temp_path) => {
            const res = await fetch(url);
+            if (!res.ok) {
+                throw new Error(`Unexpected response ${res.statusText}`);
+            }
            const destination = path.resolve(temp_path);
            // Delete if previous download failed
            if (fs.existsSync(temp_path)) {
--- a/src/content-manager.js
+++ b/src/content-manager.js
@ -1,10 +1,87 @@
 const fs = require('fs');
-const path=  require('path');
+const path = require('path');
 const config = require(path.join(process.cwd(), './config.conf'));
 const contentDirectory = path.join(process.cwd(), 'default/content');
 const contentLogPath = path.join(contentDirectory, 'content.log');
 const contentIndexPath = path.join(contentDirectory, 'index.json');

+const unsafeExtensions = [
+    ".php",
+    ".exe",
+    ".com",
+    ".dll",
+    ".pif",
+    ".application",
+    ".gadget",
+    ".msi",
+    ".jar",
+    ".cmd",
+    ".bat",
+    ".reg",
+    ".sh",
+    ".py",
+    ".js",
+    ".jse",
+    ".jsp",
+    ".pdf",
+    ".html",
+    ".htm",
+    ".hta",
+    ".vb",
+    ".vbs",
+    ".vbe",
+    ".cpl",
+    ".msc",
+    ".scr",
+    ".sql",
+    ".iso",
+    ".img",
+    ".dmg",
+    ".ps1",
+    ".ps1xml",
+    ".ps2",
+    ".ps2xml",
+    ".psc1",
+    ".psc2",
+    ".msh",
+    ".msh1",
+    ".msh2",
+    ".mshxml",
+    ".msh1xml",
+    ".msh2xml",
+    ".scf",
+    ".lnk",
+    ".inf",
+    ".reg",
+    ".doc",
+    ".docm",
+    ".docx",
+    ".dot",
+    ".dotm",
+    ".dotx",
+    ".xls",
+    ".xlsm",
+    ".xlsx",
+    ".xlt",
+    ".xltm",
+    ".xltx",
+    ".xlam",
+    ".ppt",
+    ".pptm",
+    ".pptx",
+    ".pot",
+    ".potm",
+    ".potx",
+    ".ppam",
+    ".ppsx",
+    ".ppsm",
+    ".pps",
+    ".ppam",
+    ".sldx",
+    ".sldm",
+    ".ws",
+];
+
 function checkForNewContent() {
    try {
        if (config.skipContentCheck) {
@ -85,4 +162,5 @@ function getContentLog() {

 module.exports = {
    checkForNewContent,
+    unsafeExtensions,
 }