aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Strapp <matt@mattstrapp.net>2022-04-14 13:36:19 -0500
committerMatt Strapp <matt@mattstrapp.net>2022-04-14 13:38:04 -0500
commitb326fae5bdc21d2a2a9de1b30e34925f66749cfb (patch)
tree63b643516a0bad462fa705863f2b09b5786deaef
parentBump @types/node from 17.0.23 to 17.0.24 (#46) (diff)
downloadee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar
ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.gz
ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.bz2
ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.lz
ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.xz
ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.zst
ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.zip
Path traversal mitigation
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
-rw-r--r--src/routes/api.ts4
1 files changed, 1 insertions, 3 deletions
diff --git a/src/routes/api.ts b/src/routes/api.ts
index 4b10121..2829a39 100644
--- a/src/routes/api.ts
+++ b/src/routes/api.ts
@@ -214,9 +214,7 @@ api
if ((await verifyFile(path, res)) !== true) return;
// Read the file and send it to the client
res.type('text/csv');
- // Snyk error mitigation, should be fine since tmp is private and the simple regex above should prevent path traversal
- // deepcode ignore PT: This is probably mitigated by the regex
- return res.sendFile(path);
+ return res.sendFile(path.replace('/~', ''));
})
// Fallback
.all(csrf, (req: Request, res: Response) => {