Skip to content

fix(security): prevent path traversal in deleteFile (#75)#85

Open
Vitalcheffe wants to merge 1 commit intovas3k:mainfrom
Vitalcheffe:fix/path-traversal-file-deletion-75
Open

fix(security): prevent path traversal in deleteFile (#75)#85
Vitalcheffe wants to merge 1 commit intovas3k:mainfrom
Vitalcheffe:fix/path-traversal-file-deletion-75

Conversation

@Vitalcheffe
Copy link
Copy Markdown

Problem

The deleteFile function in models/files.ts (line 77) constructs a filesystem path directly from the file.path database column using path.resolve(path.normalize(...)) without passing it through the safePathJoin utility that is used everywhere else in the codebase.

If an attacker can control the path value stored in the database (e.g. via backup restore), they can delete arbitrary files on the server when the file is deleted through the application.

Reported in #75 by @N1et.

Fix

Replaced path.resolve(path.normalize(file.path)) with safePathJoin, consistent with the rest of the codebase:

  1. Looks up the user by userId
  2. Builds the user's uploads directory using safePathJoin(FILE_UPLOAD_PATH, user.email)
  3. Joins the file's relative path using safePathJoin(userUploadsDir, file.path)

If file.path contains path traversal sequences (e.g. ../../etc/passwd), safePathJoin will throw a Path traversal detected error before any file is deleted.

Changes

  • models/files.ts:
    • Added import for safePathJoin and FILE_UPLOAD_PATH from @/lib/files
    • Replaced unsafe path construction with safePathJoin calls
    • Added comment explaining the security fix

Closes #75

The deleteFile function used path.resolve(path.normalize(file.path))
without validating that the resulting path stays within the user's
uploads directory. If an attacker could control the path value stored
in the database (e.g. via backup restore), they could delete arbitrary
files on the server.

Now uses safePathJoin (consistent with the rest of the codebase) to
resolve file.path relative to the user's uploads directory, which
throws if the resolved path escapes the base directory.

Fixes vas3k#75
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] deleteFile in models/files.ts uses unsanitized path from database, allowing arbitrary file deletion

1 participant