add some XSS / path traversal validation

2022-02-07 12:28:38 +01:00
parent 74c8cb555d
commit 592acbdb19
4 changed files with 13 additions and 7 deletions
--- a/server/helpers.js
+++ b/server/helpers.js
@@ -112,6 +112,9 @@ module.exports = {

  async getImageFromURL (url) {
    log.debug(`getImageFromURL ${url}`)
+    if(!/^https?:\/\//.test(url)) {
+      throw Error('Hacking attempt?')
+    }
    const filename = crypto.randomBytes(16).toString('hex') + '.jpg'
    const finalPath = path.resolve(config.upload_path, filename)
    const thumbPath = path.resolve(config.upload_path, 'thumb', filename)