|
@@ -369,6 +369,14 @@ class ImportService {
|
|
|
|
|
|
|
|
unzipStream.on('entry', (entry) => {
|
|
unzipStream.on('entry', (entry) => {
|
|
|
const fileName = entry.path;
|
|
const fileName = entry.path;
|
|
|
|
|
+ // https://regex101.com/r/mD4eZs/3
|
|
|
|
|
+ // prevent from unexpecting attack doing unzip file (path traversal attack)
|
|
|
|
|
+ // FOR EXAMPLE
|
|
|
|
|
+ // ../../src/server/views/admin/markdown.html
|
|
|
|
|
+ if (fileName.match(/(\.\.\/|\.\.\\)/g)) {
|
|
|
|
|
+ logger.error('File path is not appropriate.', fileName);
|
|
|
|
|
+ return;
|
|
|
|
|
+ }
|
|
|
|
|
|
|
|
if (fileName === this.growiBridgeService.getMetaFileName()) {
|
|
if (fileName === this.growiBridgeService.getMetaFileName()) {
|
|
|
// skip meta.json
|
|
// skip meta.json
|
Yuki Takei