extern/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-06-24 19:51:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4393 from advplyr/fix_pathexists_join

Browse Source 
Fix filesystem pathexists path join
This commit is contained in:
advplyr 2025-06-10 17:20:23 -05:00 committed by GitHub
commit 7a33a412fc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/controllers/FileSystemController.js
View File

@ -89,7 +89,6 @@ class FileSystemController {
} }
const { directory, folderPath } = req.body const { directory, folderPath } = req.body
if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') { if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') {
Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`) Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`)
return res.status(400).json({ return res.status(400).json({
@ -109,7 +108,8 @@ class FileSystemController {
return res.sendStatus(404) return res.sendStatus(404)
} }
const filepath = Path.posix.join(libraryFolder.path, directory) const filepath = Path.join(libraryFolder.path, directory)
// Ensure filepath is inside library folder (prevents directory traversal) // Ensure filepath is inside library folder (prevents directory traversal)
if (!filepath.startsWith(libraryFolder.path)) { if (!filepath.startsWith(libraryFolder.path)) {
Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`) Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`)