From ca91a2b6c7bcf7f6ce778fcbd8c8c8d509701ba7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=B6ran=20Sander?= Date: Sat, 6 Aug 2022 22:07:58 +0200 Subject: [PATCH] feat: Make file copy/move/delete REST endpoints more robust Implements #521 --- src/package-lock.json | 12 +++++------ src/routes/disk_utils.js | 45 ++++++++++++++++------------------------ 2 files changed, 24 insertions(+), 33 deletions(-) diff --git a/src/package-lock.json b/src/package-lock.json index 64a3d96b..364be2da 100644 --- a/src/package-lock.json +++ b/src/package-lock.json @@ -2040,9 +2040,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001350", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001350.tgz", - "integrity": "sha512-NZBql38Pzd+rAu5SPXv+qmTWGQuFsRiemHCJCAPvkoDxWV19/xqL2YHF32fDJ9SDLdLqfax8+S0CO3ncDCp9Iw==", + "version": "1.0.30001374", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001374.tgz", + "integrity": "sha512-mWvzatRx3w+j5wx/mpFN5v5twlPrabG8NqX2c6e45LCpymdoGqNvRkRutFUqpRTXKFQFNQJasvK0YT7suW6/Hw==", "dev": true, "funding": [ { @@ -8926,9 +8926,9 @@ "dev": true }, "caniuse-lite": { - "version": "1.0.30001350", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001350.tgz", - "integrity": "sha512-NZBql38Pzd+rAu5SPXv+qmTWGQuFsRiemHCJCAPvkoDxWV19/xqL2YHF32fDJ9SDLdLqfax8+S0CO3ncDCp9Iw==", + "version": "1.0.30001374", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001374.tgz", + "integrity": "sha512-mWvzatRx3w+j5wx/mpFN5v5twlPrabG8NqX2c6e45LCpymdoGqNvRkRutFUqpRTXKFQFNQJasvK0YT7suW6/Hw==", "dev": true }, "chalk": { diff --git a/src/routes/disk_utils.js b/src/routes/disk_utils.js index 4d03cc95..cce18e2a 100644 --- a/src/routes/disk_utils.js +++ b/src/routes/disk_utils.js @@ -1,6 +1,5 @@ const httpErrors = require('http-errors'); const fs = require('fs-extra'); -const path = require('path'); const upath = require('upath'); const mkdirp = require('mkdirp'); @@ -38,25 +37,25 @@ async function handlerFileCopy(request, reply) { // 1. fromFile is in a valid source directory (or subdirectory thereof), // 2. toFile is in a valid associated destination directory (or subdirectory thereof) - const fromFile = path.normalize(request.body.fromFile); - const toFile = path.normalize(request.body.toFile); + const fromFile = upath.normalize(request.body.fromFile); + const toFile = upath.normalize(request.body.toFile); - const fromDir = path.dirname(fromFile); - const toDir = path.dirname(toFile); + const fromDir = upath.dirname(fromFile); + const toDir = upath.dirname(toFile); let copyIsOk = false; // Only allow copy if this flag is true // Ensure fromFile exists if (await fs.pathExists(fromFile)) { - globals.fileCopyDirectories.forEach((element) => { - if (isDirectoryChildOf(fromDir, element.fromDir) && isDirectoryChildOf(toDir, element.toDir)) { + // eslint-disable-next-line no-restricted-syntax + for (const approvedCopyDir of globals.fileCopyDirectories) { + if (isDirectoryChildOf(fromDir, approvedCopyDir.fromDir) && isDirectoryChildOf(toDir, approvedCopyDir.toDir)) { // The fromFile passed as parameter matches an approved fromDir specified in the config file // AND // toFile passed as parameter matches the associated approved toDir specified in the config file - copyIsOk = true; } - }); + } if (copyIsOk) { globals.logger.debug( @@ -121,25 +120,25 @@ async function handlerFileMove(request, reply) { // 1. fromFile is in a valid source directory (or subdirectory thereof), // 2. toFile is in a valid associated destination directory (or subdirectory thereof) - const fromFile = path.normalize(request.body.fromFile); - const toFile = path.normalize(request.body.toFile); + const fromFile = upath.normalize(request.body.fromFile); + const toFile = upath.normalize(request.body.toFile); - const fromDir = path.dirname(fromFile); - const toDir = path.dirname(toFile); + const fromDir = upath.dirname(fromFile); + const toDir = upath.dirname(toFile); let moveIsOk = false; // Only allow move if this flag is true // Ensure fromFile exists if (await fs.pathExists(fromFile)) { - globals.fileMoveDirectories.forEach((element) => { - if (isDirectoryChildOf(fromDir, element.fromDir) && isDirectoryChildOf(toDir, element.toDir)) { + // eslint-disable-next-line no-restricted-syntax + for (const approvedMoveDir of globals.fileMoveDirectories) { + if (isDirectoryChildOf(fromDir, approvedMoveDir.fromDir) && isDirectoryChildOf(toDir, approvedMoveDir.toDir)) { // The fromFile passed as parameter matches an approved fromDir specified in the config file // AND // toFile passed as parameter matches the associated approved toDir specified in the config file - moveIsOk = true; } - }); + } if (moveIsOk) { globals.logger.debug(`FILEMOVE: About to move file from ${fromFile} to ${toFile}, overwrite flag=${overwrite}`); @@ -188,21 +187,13 @@ async function handlerFileDelete(request, reply) { // Ensure the file to be deleted is in an approved directory hierarchy // eslint-disable-next-line no-restricted-syntax - for (const approvedPath of globals.fileDeleteDirectories) { - if (isDirectoryChildOf(deleteDir, approvedPath)) { + for (const approvedDeleteDir of globals.fileDeleteDirectories) { + if (isDirectoryChildOf(deleteDir, approvedDeleteDir)) { // The deleteFile passed as parameter matches an approved directory specified in the config file deleteIsOk = true; } } - // globals.fileDeleteDirectories.forEach((element) => { - // if (isDirectoryChildOf(deleteDir, element)) { - // // The deleteFile passed as parameter matches an approved directory specified in the config file - - // deleteIsOk = true; - // } - // }); - if (deleteIsOk) { // Finally, make sure that file really exists if (await fs.pathExists(deleteFile)) {