From 409c5f7b75b0ed2f7c798a873b1e7661b41d4e8c Mon Sep 17 00:00:00 2001
From: Niclas Haderer <niclas.haderer.dev@gmail.com>
Date: Sun, 6 Aug 2023 10:05:53 +0200
Subject: [PATCH 1/2] fix: the server does not crash any more when an invalid
 backup file is uploaded

---
 .gitignore                       |  1 +
 server/managers/BackupManager.js | 15 +++++++++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/.gitignore b/.gitignore
index 25a8a774..6f47029b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,3 +15,4 @@ test/
 
 sw.*
 .DS_STORE
+.idea/*
diff --git a/server/managers/BackupManager.js b/server/managers/BackupManager.js
index cf90d0f8..c32e552a 100644
--- a/server/managers/BackupManager.js
+++ b/server/managers/BackupManager.js
@@ -8,6 +8,7 @@ const cron = require('../libs/nodeCron')
 const fs = require('../libs/fsExtra')
 const archiver = require('../libs/archiver')
 const StreamZip = require('../libs/nodeStreamZip')
+const fileUtils = require('../utils/fileUtils')
 
 // Utils
 const { getFileSize } = require('../utils/fileUtils')
@@ -82,7 +83,7 @@ class BackupManager {
       return res.status(500).send('Invalid backup file')
     }
 
-    const tempPath = Path.join(this.BackupPath, backupFile.name)
+    const tempPath = fileUtils.sanitizeFilename(Path.join(this.BackupPath, backupFile.name))
     const success = await backupFile.mv(tempPath).then(() => true).catch((error) => {
       Logger.error('[BackupManager] Failed to move backup file', path, error)
       return false
@@ -92,8 +93,14 @@ class BackupManager {
     }
 
     const zip = new StreamZip.async({ file: tempPath })
-
-    const entries = await zip.entries()
+    let entries
+    try {
+      entries = await zip.entries()
+    } catch(error){
+      // Not a valid zip file
+      Logger.error('[BackupManager] Failed to read backup file - backup might not be a valid .zip file', tempPath, error)
+      return res.status(400).send('Failed to read backup file - backup might not be a valid .zip file')
+    }
     if (!Object.keys(entries).includes('absdatabase.sqlite')) {
       Logger.error(`[BackupManager] Invalid backup with no absdatabase.sqlite file - might be a backup created on an old Audiobookshelf server.`)
       return res.status(500).send('Invalid backup with no absdatabase.sqlite file - might be a backup created on an old Audiobookshelf server.')
@@ -267,7 +274,7 @@ class BackupManager {
 
   /**
    * @see https://github.com/TryGhost/node-sqlite3/pull/1116
-   * @param {Backup} backup 
+   * @param {Backup} backup
    * @promise
    */
   backupSqliteDb(backup) {

From 43a5296dd75aac412788d1272e69bcc5ff058da5 Mon Sep 17 00:00:00 2001
From: advplyr <dev@advplyr.com>
Date: Mon, 7 Aug 2023 17:14:47 -0500
Subject: [PATCH 2/2] Update server/managers/BackupManager.js

---
 server/managers/BackupManager.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/managers/BackupManager.js b/server/managers/BackupManager.js
index c32e552a..e19b1db6 100644
--- a/server/managers/BackupManager.js
+++ b/server/managers/BackupManager.js
@@ -83,7 +83,7 @@ class BackupManager {
       return res.status(500).send('Invalid backup file')
     }
 
-    const tempPath = fileUtils.sanitizeFilename(Path.join(this.BackupPath, backupFile.name))
+    const tempPath = Path.join(this.BackupPath, fileUtils.sanitizeFilename(backupFile.name))
     const success = await backupFile.mv(tempPath).then(() => true).catch((error) => {
       Logger.error('[BackupManager] Failed to move backup file', path, error)
       return false