Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

security: fix vulnerabilities and harden code (2026-03-12)
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details

Browse Source 
Path traversal fixes:
- DeleteFile.js: use path.resolve() + symlink protection (CRITICAL)
- DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL)
- RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH)
- attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM)

XSS fixes:
- dashboard.js: escape user input in onerror/onclick inline attributes (HIGH)
- paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM)

Input validation:
- inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM)

Version bump: 1.2.2-beta → 1.2.3-beta
This commit is contained in:
.dinawo
2026-03-12 20:18:28 +01:00
parent 1fbfc28780
commit a8af857cd3
8 changed files with 101 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
routes/Dpanel/API/DeleteFile.js
View File

@@ -156,19 +156,30 @@ router.post('/', authenticateToken, (req, res) => {
return res.status(400).json({ message: 'User ID or filename missing for file deletion.' });
}
const userFolderPath = path.join('cdn-files', userId);
const userFolderPath = path.resolve('cdn-files', userId);
function findAndDeleteFile(folderPath) {
const resolvedFolder = path.resolve(folderPath);
if (!resolvedFolder.startsWith(userFolderPath + path.sep) && resolvedFolder !== userFolderPath) {
return false;
}
const filesInFolder = fs.readdirSync(folderPath);
for (const file of filesInFolder) {
const filePath = path.join(folderPath, file);
const resolvedFilePath = path.resolve(filePath);
if (!filePath.startsWith(userFolderPath)) {
if (!resolvedFilePath.startsWith(userFolderPath + path.sep)) {
return false;
}
if (fs.statSync(filePath).isDirectory()) {
const stat = fs.lstatSync(filePath);
if (stat.isSymbolicLink()) {
continue;
}
if (stat.isDirectory()) {
const fileDeletedInSubfolder = findAndDeleteFile(filePath);
if (fileDeletedInSubfolder) {
return true;

21
routes/Dpanel/API/DeleteFileFolder.js
View File

@@ -26,8 +26,25 @@ router.post('/:folderName', authMiddleware, (req, res) => {
const userId = req.userData.name;
const { filename } = req.body;
const userFolderPath = path.join('cdn-files', userId || '');
const filePath = path.join(userFolderPath, req.params.folderName, filename || '');
if (!userId || !filename) {
return res.status(400).json({ error: 'Paramètres manquants.' });
}
const userFolderPath = path.resolve('cdn-files', userId);
const filePath = path.resolve(userFolderPath, req.params.folderName, filename);
if (!filePath.startsWith(userFolderPath + path.sep)) {
return res.status(403).json({ error: 'Accès non autorisé.' });
}
try {
const stat = fs.lstatSync(filePath);
if (stat.isSymbolicLink()) {
return res.status(403).json({ error: 'Accès non autorisé.' });
}
} catch (e) {
return res.status(404).json({ error: 'Le fichier spécifié n\'existe pas.' });
}
if (!fs.existsSync(filePath)) {
return res.status(404).json({ error: 'Le fichier spécifié n\'existe pas.' });

30
routes/Dpanel/API/RenameFile.js
View File

@@ -142,16 +142,21 @@ router.post('/', authMiddleware, async (req, res) => {
return res.status(400).json('Both currentName and newName must be provided.');
}
const userDir = path.join('cdn-files', userId);
const currentPath = path.join(userDir, filePath, currentName);
const newPath = path.join(userDir, filePath, newName);
const userDir = path.resolve('cdn-files', userId);
const currentPath = path.resolve(userDir, filePath, currentName);
const newPath = path.resolve(userDir, filePath, newName);
if (!currentPath.startsWith(userDir) || !newPath.startsWith(userDir)) {
if (!currentPath.startsWith(userDir + path.sep) || !newPath.startsWith(userDir + path.sep)) {
ErrorLogger.error('Unauthorized directory access attempt');
return res.status(403).json('Unauthorized directory access attempt');
}
try {
const stat = await fs.promises.lstat(currentPath);
if (stat.isSymbolicLink()) {
return res.status(403).json('Unauthorized: symbolic links are not allowed');
}
await fs.promises.rename(currentPath, newPath);
const data = await fs.promises.readFile(path.join(__dirname, '../../../data', 'file_info.json'), 'utf8');
@@ -170,7 +175,7 @@ router.post('/', authMiddleware, async (req, res) => {
await fs.promises.writeFile(path.join(__dirname, '../../../data', 'file_info.json'), JSON.stringify(fileInfo, null, 2), 'utf8');
}
res.status(200).json('Operation was successful.');
res.status(200).json('Operation was successful.');
} catch (err) {
console.error(err);
return res.status(500).json('Error renaming the file.');
@@ -186,16 +191,21 @@ router.post('/:filePath*', authMiddleware, async (req, res) => {
return res.status(400).json('Both currentName and newName must be provided.');
}
const userDir = path.join('cdn-files', userId);
const currentPath = path.join(userDir, filePath, currentName);
const newPath = path.join(userDir, filePath, newName);
const userDir = path.resolve('cdn-files', userId);
const currentPath = path.resolve(userDir, filePath, currentName);
const newPath = path.resolve(userDir, filePath, newName);
if (!currentPath.startsWith(userDir) || !newPath.startsWith(userDir)) {
if (!currentPath.startsWith(userDir + path.sep) || !newPath.startsWith(userDir + path.sep)) {
ErrorLogger.error('Unauthorized directory access attempt');
return res.status(403).json('Unauthorized directory access attempt');
}
try {
const stat = await fs.promises.lstat(currentPath);
if (stat.isSymbolicLink()) {
return res.status(403).json('Unauthorized: symbolic links are not allowed');
}
await fs.promises.rename(currentPath, newPath);
const data = await fs.promises.readFile(path.join(__dirname, '../../../data', 'file_info.json'), 'utf8');
@@ -214,7 +224,7 @@ router.post('/:filePath*', authMiddleware, async (req, res) => {
await fs.promises.writeFile(path.join(__dirname, '../../../data', 'file_info.json'), JSON.stringify(fileInfo, null, 2), 'utf8');
}
res.status(200).json('Operation was successful.');
res.status(200).json('Operation was successful.');
} catch (err) {
console.error(err);
return res.status(500).json('Error renaming the file.');