Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

security: fix vulnerabilities and harden code (2026-03-12)
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details

Browse Source 
Path traversal fixes:
- DeleteFile.js: use path.resolve() + symlink protection (CRITICAL)
- DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL)
- RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH)
- attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM)

XSS fixes:
- dashboard.js: escape user input in onerror/onclick inline attributes (HIGH)
- paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM)

Input validation:
- inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM)

Version bump: 1.2.2-beta → 1.2.3-beta
This commit is contained in:
.dinawo
2026-03-12 20:18:28 +01:00
parent 1fbfc28780
commit a8af857cd3
8 changed files with 101 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
Middlewares/inputValidationMiddleware.js
View File

@@ -171,7 +171,8 @@ const inputValidationMiddleware = (req, res, next) => {
if (req.body && typeof req.body === 'object') {
const bodyStr = JSON.stringify(req.body);
if (suspiciousPatterns.some(pattern => pattern.test(bodyStr))) {
logger.warn(`Suspicious input detected in request body from ${req.ip}: ${req.path}`);
logger.warn(`Suspicious input blocked in request body from ${req.ip}: ${req.path}`);
return res.status(400).json({ error: 'Input invalide détecté.' });
}
}
@@ -179,11 +180,11 @@ const inputValidationMiddleware = (req, res, next) => {
if (req.query && typeof req.query === 'object') {
const queryStr = JSON.stringify(req.query);
if (suspiciousPatterns.some(pattern => pattern.test(queryStr))) {
logger.warn(`Suspicious input detected in query params from ${req.ip}: ${req.path}`);
logger.warn(`Suspicious input blocked in query params from ${req.ip}: ${req.path}`);
return res.status(400).json({ error: 'Input invalide détecté.' });
}
}
// Continuer sans bloquer (logging only pour ne pas casser l'app)
next();
} catch (error) {
logger.error('Error in input validation middleware:', error);