Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
release-candidate
CDN-APP-INSIDER/routes/Dpanel/API/ProfilPicture.js
dinawo 76dc23c861 security: fix vulnerabilities and update security hardening (2026-03-12) 
Code security fixes:
- Fixed 3 critical auth bypass bugs (user.jso, typo → user.json) in RenameFile, NewFolder, DeleteFolder API routes
- Added URL validation (HTTP/HTTPS only) on ProfilPicture and BackgroundCustom endpoints to prevent stored XSS/CSS injection
- Added path traversal protection in Upload.js (resolved path boundary check)
- Removed unsafe-eval from CSP script-src directive
- Removed information disclosure in BuildMetaData error responses
- Removed unused child_process import in BuildMetaData.js

Version bump: 1.2.1-beta → 1.2.2-beta
2026-03-12 17:16:16 +01:00

57 lines
1.7 KiB
JavaScript
Raw Permalink Blame History

const express = require('express');
const fs = require('fs');
const path = require('path');
const router = express.Router();
router.use(express.json());
router.post('/', (req, res) => {
const userId = req.body.userId;
const profilePictureUrl = req.body.profilePictureUrl;
if (!profilePictureUrl) {
return res.status(400).send('No profile picture URL provided.');
}
// Validate URL to prevent XSS/injection via malicious URLs
try {
const parsed = new URL(profilePictureUrl);
if (!['http:', 'https:'].includes(parsed.protocol)) {
return res.status(400).send('Invalid URL protocol. Only HTTP/HTTPS allowed.');
}
} catch {
return res.status(400).send('Invalid URL format.');
}
updateUserProfilePicture(userId, profilePictureUrl, res);
});
const updateUserProfilePicture = (userId, profilePictureUrl, res) => {
const userFilePath = path.join(__dirname, '../../../data', 'user.json');
fs.readFile(userFilePath, 'utf8', (err, data) => {
if (err) {
return res.status(500).send('Error reading the file');
}
let users = JSON.parse(data);
const userIndex = users.findIndex(u => u.id === userId);
if (userIndex !== -1) {
users[userIndex].profilePicture = profilePictureUrl;
fs.writeFile(userFilePath, JSON.stringify(users, null, 2), err => {
if (err) {
return res.status(500).send('Error writing to the file');
}
res.json({ profilePicture: profilePictureUrl });
});
} else {
res.status(404).send('User not found');
}
});
};
module.exports = router;
Reference in New Issue View Git Blame Copy Permalink