Dinawo/CDN-APP-INSIDER
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
secops/security-update-2026-03-12
CDN-APP-INSIDER/routes/attachments.js
dinawo a8af857cd3
Some checks failed
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is failing
Details
security: fix vulnerabilities and harden code (2026-03-12) 
Path traversal fixes:
- DeleteFile.js: use path.resolve() + symlink protection (CRITICAL)
- DeleteFileFolder.js: add path.resolve() validation + symlink check (CRITICAL)
- RenameFile.js: use path.resolve() with proper prefix check + symlink guard (HIGH)
- attachments.js: add baseDir validation + skip symlinks in recursive search (MEDIUM)

XSS fixes:
- dashboard.js: escape user input in onerror/onclick inline attributes (HIGH)
- paramadminsettingsetup.script.js: escape values in innerHTML template (MEDIUM)

Input validation:
- inputValidationMiddleware.js: block suspicious requests instead of logging only (MEDIUM)

Version bump: 1.2.2-beta → 1.2.3-beta
2026-03-12 20:18:28 +01:00

186 lines
6.4 KiB
JavaScript
Raw Permalink Blame History

const express = require('express');
const router = express.Router();
const path = require('path');
const fs = require('fs').promises;
const fsStandard = require('fs');
const mime = require('mime-types');
const { logger, ErrorLogger } = require('../config/logs');
const bcrypt = require('bcrypt');
const compression = require('compression');
const { pipeline } = require('stream/promises'); // Utilisation du pipeline moderne
const baseDir = 'cdn-files';
// Middleware de compression gzip
router.use(compression());
async function getSamAccountNameFromUserId(userId) {
const data = await fs.readFile(path.join(__dirname, '../data', 'user.json'), 'utf8');
const users = JSON.parse(data);
const user = users.find(user => user.id === userId);
if (user) {
return user.name;
} else {
throw new Error('User not found');
}
}
async function findFileInUserDir(userId, filename) {
const samaccountname = await getSamAccountNameFromUserId(userId);
const userDir = path.join(baseDir, samaccountname);
return findFileInDir(userDir, filename);
}
async function findFileInDir(dir, filename, baseDir) {
if (!baseDir) baseDir = dir;
const resolvedDir = path.resolve(dir);
const resolvedBase = path.resolve(baseDir);
if (resolvedDir !== resolvedBase && !resolvedDir.startsWith(resolvedBase + path.sep)) {
return null;
}
let files;
try {
files = await fs.readdir(dir, { withFileTypes: true });
} catch (err) {
return null;
}
for (const file of files) {
const filePath = path.join(dir, file.name);
if (file.isSymbolicLink()) {
continue;
}
if (file.name === filename && file.isFile()) {
const resolvedFile = path.resolve(filePath);
if (resolvedFile.startsWith(resolvedBase + path.sep)) {
return filePath;
}
return null;
} else if (file.isDirectory()) {
const found = await findFileInDir(filePath, filename, baseDir);
if (found) {
return found;
}
}
}
return null;
}
router.get('/:userId', (req, res) => {
res.render('unauthorized');
});
router.get('/:userId/:filename', async (req, res) => {
const { userId, filename } = req.params;
try {
const filePath = await findFileInUserDir(userId, filename);
if (!filePath) {
return res.render('file-not-found');
}
const data = await fs.readFile(path.join(__dirname, '../data', 'file_info.json'), 'utf8');
const fileInfoArray = JSON.parse(data);
const fileInfo = fileInfoArray.find(info => info.fileName === filename && info.Id === userId);
if (fileInfo) {
const expiryDate = new Date(fileInfo.expiryDate);
const now = new Date();
if (expiryDate < now) {
await fs.unlink(filePath);
return res.render('file-expired');
}
if (fileInfo.password && !req.session.passwordVerified) {
return res.render('password-check', { userId, filename });
}
}
const mimeType = mime.lookup(filePath) || 'application/octet-stream';
const range = req.headers.range;
const stats = await fs.stat(filePath);
const fileSize = stats.size;
if (range) {
const [start, end] = range.replace(/bytes=/, '').split('-');
const chunkStart = parseInt(start, 10);
const chunkEnd = end ? parseInt(end, 10) : fileSize - 1;
if (chunkStart >= fileSize || chunkEnd >= fileSize) {
res.setHeader('Content-Range', `bytes */${fileSize}`);
return res.status(416).send('Requested Range Not Satisfiable');
}
res.status(206);
res.setHeader('Content-Range', `bytes ${chunkStart}-${chunkEnd}/${fileSize}`);
res.setHeader('Accept-Ranges', 'bytes');
res.setHeader('Content-Length', chunkEnd - chunkStart + 1);
res.setHeader('Content-Type', mimeType);
const readStream = fsStandard.createReadStream(filePath, { start: chunkStart, end: chunkEnd });
await pipeline(readStream, res); // Utilisation de pipeline avec await pour éviter les erreurs
} else {
res.setHeader('Content-Length', fileSize);
res.setHeader('Content-Type', mimeType);
const readStream = fsStandard.createReadStream(filePath);
await pipeline(readStream, res);
}
} catch (err) {
// Ne pas logger les fermetures prématurées côté client (comportement normal)
// Cela se produit quand l'utilisateur annule le téléchargement, ferme le navigateur, etc.
if (err.code !== 'ERR_STREAM_PREMATURE_CLOSE' && err.code !== 'ECONNRESET' && err.code !== 'EPIPE') {
ErrorLogger.error('Error handling request:', err);
}
if (!res.headersSent) {
res.status(500).send('Error reading file.');
}
}
});
router.post('/:userId/:filename', async (req, res) => {
const { userId, filename } = req.params;
const enteredPassword = req.body.password;
try {
const data = await fs.readFile(path.join(__dirname, '../data', 'file_info.json'), 'utf8');
const fileInfoArray = JSON.parse(data);
const fileInfo = fileInfoArray.find(info => info.fileName === filename && info.Id === userId);
if (!fileInfo) {
return res.json({ success: false, message: 'File not found' });
}
const passwordMatch = await bcrypt.compare(enteredPassword, fileInfo.password);
if (passwordMatch) {
req.session.passwordVerified = true;
const filePath = await findFileInUserDir(userId, filename);
const mimeType = mime.lookup(filePath) || 'application/octet-stream';
const readStream = fsStandard.createReadStream(filePath);
let fileContent = '';
for await (const chunk of readStream) {
fileContent += chunk.toString('base64');
}
res.json({ success: true, fileContent, mimeType });
} else {
res.json({ success: false, message: 'Incorrect password' });
}
} catch (err) {
ErrorLogger.error('Error reading file:', err);
if (!res.headersSent) {
res.status(500).send('Error reading file.');
}
}
});
module.exports = router;
Reference in New Issue View Git Blame Copy Permalink