|
|
@@ -4,6 +4,7 @@ const logger = loggerFactory('growi:routes:apiv3:export');
|
|
|
const fs = require('fs');
|
|
|
|
|
|
const express = require('express');
|
|
|
+const { param } = require('express-validator');
|
|
|
|
|
|
const router = express.Router();
|
|
|
|
|
|
@@ -41,6 +42,7 @@ module.exports = (crowi) => {
|
|
|
const accessTokenParser = require('../../middlewares/access-token-parser')(crowi);
|
|
|
const loginRequired = require('../../middlewares/login-required')(crowi);
|
|
|
const adminRequired = require('../../middlewares/admin-required')(crowi);
|
|
|
+ const apiV3FormValidator = require('../../middlewares/apiv3-form-validator')(crowi);
|
|
|
const csrf = require('../../middlewares/csrf')(crowi);
|
|
|
|
|
|
const { exportService, socketIoService } = crowi;
|
|
|
@@ -58,6 +60,14 @@ module.exports = (crowi) => {
|
|
|
socketIoService.getAdminSocket().emit('admin:onTerminateForExport', data);
|
|
|
});
|
|
|
|
|
|
+ const validator = {
|
|
|
+ deleteFile: [
|
|
|
+ // https://regex101.com/r/mD4eZs/3
|
|
|
+ // prevent from unexpecting attack doing delete file (path traversal attack)
|
|
|
+ param('fileName').not().matches(/(\.\.\/|\.\.\\)/g),
|
|
|
+ ],
|
|
|
+ };
|
|
|
+
|
|
|
|
|
|
/**
|
|
|
* @swagger
|
|
|
@@ -150,7 +160,7 @@ module.exports = (crowi) => {
|
|
|
* schema:
|
|
|
* type: object
|
|
|
*/
|
|
|
- router.delete('/:fileName', accessTokenParser, loginRequired, adminRequired, csrf, async(req, res) => {
|
|
|
+ router.delete('/:fileName', accessTokenParser, loginRequired, adminRequired, validator.deleteFile, apiV3FormValidator, csrf, async(req, res) => {
|
|
|
// TODO: add express validator
|
|
|
const { fileName } = req.params;
|
|
|
|
Yuki Takei