5 years ago · 02de3e4df9
--- a/src/server/routes/admin.js
+++ b/src/server/routes/admin.js
@@ -22,7 +22,7 @@ module.exports = function(crowi, app) {
 
				   const MAX_PAGE_LIST = 50;
			
 
				   const actions = {};
			
 
				 
			
 
				-  const { check } = require('express-validator');
			
 
				+  const { check, param } = require('express-validator');
			
 
				 
			
 
				   const api = {};
			
 
				 
			
@@ -316,13 +316,29 @@ module.exports = function(crowi, app) {
 
				 
			
 
				   // Export management
			
 
				   actions.export = {};
			
 
				+  actions.export.api = api;
			
 
				+  api.validators.export = {};
			
 
				+
			
 
				   actions.export.index = (req, res) => {
			
 
				     return res.render('admin/export');
			
 
				   };
			
 
				 
			
 
				+  api.validators.export.download = function() {
			
 
				+    const validator = [
			
 
				+      // https://regex101.com/r/mD4eZs/4
			
 
				+      // prevent from pass traversal attack
			
 
				+      param('fileName').not().matches(/(\.\.\/|\.\.\\)/),
			
 
				+    ];
			
 
				+    return validator;
			
 
				+  };
			
 
				+
			
 
				   actions.export.download = (req, res) => {
			
 
				-    // TODO: add express validator
			
 
				     const { fileName } = req.params;
			
 
				+    const { validationResult } = require('express-validator');
			
 
				+    const errors = validationResult(req);
			
 
				+    if (!errors.isEmpty()) {
			
 
				+      return res.status(422).json({ errors: `${fileName} is invalid. Do not use path like '../'.` });
			
 
				+    }
			
 
				 
			
 
				     try {
			
 
				       const zipFile = exportService.getFile(fileName);
			
--- a/src/server/routes/apiv3/export.js
+++ b/src/server/routes/apiv3/export.js
@@ -62,9 +62,9 @@ module.exports = (crowi) => {
 
				 
			
 
				   const validator = {
			
 
				     deleteFile: [
			
 
				-      // https://regex101.com/r/mD4eZs/3
			
 
				+      // https://regex101.com/r/mD4eZs/4
			
 
				       // prevent from unexpecting attack doing delete file (path traversal attack)
			
 
				-      param('fileName').not().matches(/(\.\.\/|\.\.\\)/g),
			
 
				+      param('fileName').not().matches(/(\.\.\/|\.\.\\)/),
			
 
				     ],
			
 
				   };
			
 
				 
			
--- a/src/server/routes/index.js
+++ b/src/server/routes/index.js
@@ -111,7 +111,7 @@ module.exports = function(crowi, app) {
 
				 
			
 
				   // export management for admin
			
 
				   app.get('/admin/export'                       , loginRequiredStrictly , adminRequired ,admin.export.index);
			
 
				-  app.get('/admin/export/:fileName'             , loginRequiredStrictly , adminRequired ,admin.export.download);
			
 
				+  app.get('/admin/export/:fileName'             , loginRequiredStrictly , adminRequired ,admin.export.api.validators.export.download(), admin.export.download);
			
 
				 
			
 
				   app.get('/me'                       , loginRequiredStrictly , me.index);
			
 
				   // external-accounts
			
--- a/src/server/service/import.js
+++ b/src/server/service/import.js
@@ -369,11 +369,11 @@ class ImportService {
 
				 
			
 
				     unzipStream.on('entry', (entry) => {
			
 
				       const fileName = entry.path;
			
 
				-      // https://regex101.com/r/mD4eZs/3
			
 
				+      // https://regex101.com/r/mD4eZs/4
			
 
				       // prevent from unexpecting attack doing unzip file (path traversal attack)
			
 
				       // FOR EXAMPLE
			
 
				       // ../../src/server/views/admin/markdown.html
			
 
				-      if (fileName.match(/(\.\.\/|\.\.\\)/g)) {
			
 
				+      if (fileName.match(/(\.\.\/|\.\.\\)/)) {
			
 
				         logger.error('File path is not appropriate.', fileName);
			
 
				         return;
			
 
				       }