diff --git a/src/endpoints/chats.js b/src/endpoints/chats.js index 8ecd08199..855ddff3a 100644 --- a/src/endpoints/chats.js +++ b/src/endpoints/chats.js @@ -144,8 +144,8 @@ router.post('/save', jsonParser, function (request, response) { const directoryName = String(request.body.avatar_url).replace('.png', ''); const chatData = request.body.chat; const jsonlData = chatData.map(JSON.stringify).join('\n'); - const fileName = `${sanitize(String(request.body.file_name))}.jsonl`; - const filePath = path.join(request.user.directories.chats, directoryName, fileName); + const fileName = `${String(request.body.file_name)}.jsonl`; + const filePath = path.join(request.user.directories.chats, directoryName, sanitize(fileName)); writeFileAtomicSync(filePath, jsonlData, 'utf8'); backupChat(request.user.directories.backups, directoryName, jsonlData); return response.send({ result: 'ok' }); @@ -171,14 +171,15 @@ router.post('/get', jsonParser, function (request, response) { return response.send({}); } - const fileName = path.join(directoryPath, `${sanitize(String(request.body.file_name))}.jsonl`); - const chatFileExists = fs.existsSync(fileName); + const fileName = `${String(request.body.file_name)}.jsonl`; + const filePath = path.join(directoryPath, sanitize(fileName)); + const chatFileExists = fs.existsSync(filePath); if (!chatFileExists) { return response.send({}); } - const data = fs.readFileSync(fileName, 'utf8'); + const data = fs.readFileSync(filePath, 'utf8'); const lines = data.split('\n'); // Iterate through the array of strings and parse each line as JSON @@ -217,28 +218,18 @@ router.post('/rename', jsonParser, async function (request, response) { }); router.post('/delete', jsonParser, function (request, response) { - if (!request.body) { - console.log('no request body seen'); - return response.sendStatus(400); - } - - if (request.body.chatfile !== sanitize(request.body.chatfile)) { - console.error('Malicious chat name prevented'); - return response.sendStatus(403); - } - const dirName = String(request.body.avatar_url).replace('.png', ''); - const fileName = path.join(request.user.directories.chats, dirName, sanitize(String(request.body.chatfile))); - const chatFileExists = fs.existsSync(fileName); + const fileName = String(request.body.chatfile); + const filePath = path.join(request.user.directories.chats, dirName, sanitize(fileName)); + const chatFileExists = fs.existsSync(filePath); if (!chatFileExists) { - console.log(`Chat file not found '${fileName}'`); + console.log(`Chat file not found '${filePath}'`); return response.sendStatus(400); - } else { - fs.rmSync(fileName); - console.log('Deleted chat file: ' + fileName); } + fs.rmSync(filePath); + console.log('Deleted chat file: ' + filePath); return response.send('ok'); });