rixty/SillyTavern
1
0
Fork 0
mirror of https://github.com/SillyTavern/SillyTavern.git synced 2025-06-05 21:59:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'staging' of https://github.com/Tony-sama/SillyTavern into staging

Browse Source
This commit is contained in:
Tony Ribeiro
2023-08-24 22:18:01 +02:00
parent 1014d592f7 b914921bf7
commit 47a35076db
2 changed files with 92 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
server.js
View File

@@ -5094,6 +5094,16 @@ app.post('/asset_download', jsonParser, async (request, response) => {
return response.sendStatus(400);
}
if (contentManager.unsafeExtensions.some(ext => inputFilename.toLowerCase().endsWith(ext))) {
console.debug("Bad request: forbidden file extension.");
return response.sendStatus(400);
}
if (inputFilename.startsWith('.')) {
console.debug("Bad request: filename cannot start with '.'");
return response.sendStatus(400);
}
const safe_input = path.normalize(inputFilename).replace(/^(\.\.(\/|\\|$))+/, '');
const temp_path = path.join(directories.assets, "temp", safe_input)
const file_path = path.join(directories.assets, category, safe_input)
@@ -5103,6 +5113,9 @@ app.post('/asset_download', jsonParser, async (request, response) => {
// Download to temp
const downloadFile = (async (url, temp_path) => {
const res = await fetch(url);
if (!res.ok) {
throw new Error(`Unexpected response ${res.statusText}`);
}
const destination = path.resolve(temp_path);
// Delete if previous download failed
if (fs.existsSync(temp_path)) {