|
|
@@ -18,6 +18,7 @@ import loggerFactory from '~/utils/logger';
|
|
|
|
|
|
import { generateAddActivityMiddleware } from '../../../middlewares/add-activity';
|
|
|
import { apiV3FormValidator } from '../../../middlewares/apiv3-form-validator';
|
|
|
+import { isFileNameSafeForBaseDir } from '../../util/safe-path-utils';
|
|
|
import type { ApiV3Response } from '../interfaces/apiv3-response';
|
|
|
|
|
|
const logger = loggerFactory('growi:routes:apiv3:app-settings');
|
|
|
@@ -582,6 +583,15 @@ module.exports = (crowi: Crowi) => {
|
|
|
validator.appSetting,
|
|
|
apiV3FormValidator,
|
|
|
async (req, res) => {
|
|
|
+ const { globalLang } = req.body;
|
|
|
+ if (globalLang != null) {
|
|
|
+ if (!isFileNameSafeForBaseDir(globalLang, crowi.localeDir)) {
|
|
|
+ const msg =
|
|
|
+ 'Invalid global language settings: path traversal detected.';
|
|
|
+ logger.error(msg, { globalLang });
|
|
|
+ return res.apiv3Err(new ErrorV3(msg, 'invalid-globalLang'));
|
|
|
+ }
|
|
|
+ }
|
|
|
const requestAppSettingParams = {
|
|
|
'app:title': req.body.title,
|
|
|
'app:confidential': req.body.confidential,
|
mariko-h