diff options
author | Matt Strapp <matt@mattstrapp.net> | 2022-02-22 18:43:51 -0600 |
---|---|---|
committer | Matt Strapp <matt@mattstrapp.net> | 2022-02-22 18:52:23 -0600 |
commit | 52888e1651e5056849ab8d7ac8785eb48a141e2f (patch) | |
tree | fd69efd967b295d81b49fa71df7ac348f143f696 /src | |
parent | Maybe add CSV support (diff) | |
download | ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.tar ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.tar.gz ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.tar.bz2 ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.tar.lz ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.tar.xz ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.tar.zst ee4511w-web-52888e1651e5056849ab8d7ac8785eb48a141e2f.zip |
add comment
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
Diffstat (limited to 'src')
-rw-r--r-- | src/routes/api.ts | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/src/routes/api.ts b/src/routes/api.ts index 798fb27..f17b179 100644 --- a/src/routes/api.ts +++ b/src/routes/api.ts @@ -155,16 +155,29 @@ api.route('/actuate') return res.status(405).json({ error: 'Method not allowed.' }); }); - +/* + Download the CSV file after running the pendulum + GET /api/v1/download + Parameters: + filename: The name of the file to download + Returns: + 200: (the CSV file) + 403 when someone is trying to do directory traversal + 404 when the file is not accessible or does not exist + 500 for any other errors +*/ api.route('/download') .get(csrf, async (req: Request, res: Response) => { - const path: string = `/tmp/${req.query.filename}.csv` as string; - + const filename: string = req.query.filename as string; + if (!filename) + return res.status(400).json({ error: 'No filename specified.' }); // Make sure no path traversal is attempted // This regex matches all alphanumeric characters, underscores, and dashes. // MAKE SURE THIS DOES NOT ALLOW PATH TRAVERSAL - if (/^[\w-]+$/.test(path)) - return res.status(403).json({ error: 'Get lost' }); + if (!/^[\w-]+$/.test(filename)) + return res.status(403).json({ error: 'No.' }); + + const path = `/tmp/${filename}.csv`; // Verify that the file exists and is a regular file // Return if not since the res will be sent by the verifyFile function @@ -198,7 +211,7 @@ async function verifyFile(file: string, res: Response) { try { await access(file); } catch (err) { - res.status(403).json({ error: 'File is not accessible or does not exist.' }); + res.status(404).json({ error: 'File is not accessible or does not exist.' }); return false; } // This is a try catch because otherwise type checking will fail and get all messed up |