rixty/SillyTavern
1
0
Fork 0
mirror of https://github.com/SillyTavern/SillyTavern.git synced 2025-06-05 21:59:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Clean up file name sanitization

Browse Source 
- Checking for null bytes is unnecessary because the check for illegal
characters directly below it will catch them.
- We can use the path.extname method to get the file extension more
cleanly. It returns the *last* extension (e.g.
path.extname('file.foo.js') === '.js'), so behavior is preserved.
- Normalizing the path is unnecessary. We don't allow any path
separators in the file name, so it does nothing.
- Stripping '..', path separators, and '$' is unnecessary because of the
earlier illegal character check.
This commit is contained in:
valadaptive
2023-12-05 08:10:31 -05:00
parent c9fbe75566
commit c00df4f45b
2 changed files with 10 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/endpoints/files.js
View File

@@ -2,7 +2,7 @@ const path = require('path');
const writeFileSyncAtomic = require('write-file-atomic').sync;
const express = require('express');
const router = express.Router();
const { checkAssetFileName } = require('./assets');
const { sanitizeAssetFileName } = require('./assets');
const { jsonParser } = require('../express-common');
const { DIRECTORIES } = require('../constants');
@@ -16,7 +16,7 @@ router.post('/upload', jsonParser, async (request, response) => {
return response.status(400).send('No upload data specified');
}
const safeInput = checkAssetFileName(request.body.name);
const safeInput = sanitizeAssetFileName(request.body.name);
if (!safeInput) {
return response.status(400).send('Invalid upload name');