Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
secops/security-update-2026-03-12
CDN-APP-INSIDER/routes/Dpanel/API/DeleteFileFolder.js
dinawo a8af857cd3
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
security: fix vulnerabilities and harden code (2026-03-12) 
Path traversal fixes:
- DeleteFile.js: use path.resolve() + symlink protection (CRITICAL)
- DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL)
- RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH)
- attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM)

XSS fixes:
- dashboard.js: escape user input in onerror/onclick inline attributes (HIGH)
- paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM)

Input validation:
- inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM)

Version bump: 1.2.2-beta → 1.2.3-beta
2026-03-12 20:18:28 +01:00

62 lines
2.2 KiB
JavaScript
Raw Permalink Blame History

const express = require('express');
const fs = require('fs');
const path = require('path');
const router = express.Router();
const fileUpload = require('express-fileupload');
const authMiddleware = require('../../../Middlewares/authMiddleware');
const { loggers } = require('winston');
const ncp = require('ncp').ncp;
const configFile = fs.readFileSync(path.join(__dirname, '../../../data', 'setup.json'), 'utf-8')
const config = JSON.parse(configFile);
const bodyParser = require('body-parser');
const crypto = require('crypto');
const os = require('os');
const { getUserData, getSetupData } = require('../../../Middlewares/watcherMiddleware');
const { logger, logRequestInfo, ErrorLogger, authLogger } = require('../../../config/logs');
let setupData = getSetupData();
let userData = getUserData();
router.use(bodyParser.json());
router.get('/', (req, res) => {
res.status(400).json({ error: 'Bad Request. The request cannot be fulfilled due to bad syntax or missing parameters.' });
});
router.post('/:folderName', authMiddleware, (req, res) => {
const userId = req.userData.name;
const { filename } = req.body;
if (!userId || !filename) {
return res.status(400).json({ error: 'Paramètres manquants.' });
}
const userFolderPath = path.resolve('cdn-files', userId);
const filePath = path.resolve(userFolderPath, req.params.folderName, filename);
if (!filePath.startsWith(userFolderPath + path.sep)) {
return res.status(403).json({ error: 'Accès non autorisé.' });
}
try {
const stat = fs.lstatSync(filePath);
if (stat.isSymbolicLink()) {
return res.status(403).json({ error: 'Accès non autorisé.' });
}
} catch (e) {
return res.status(404).json({ error: 'Le fichier spécifié n\'existe pas.' });
}
if (!fs.existsSync(filePath)) {
return res.status(404).json({ error: 'Le fichier spécifié n\'existe pas.' });
}
fs.unlink(filePath, (err) => {
if (err) {
console.error(err);
return res.status(500).json({ error: 'Erreur lors de la suppression du fichier.' });
}
res.json({ deleted: true, success: 'Fichier supprimé avec succès.' });
});
});
module.exports = router;
Reference in New Issue View Git Blame Copy Permalink