diff options
| author | Matt Strapp <matt@mattstrapp.net> | 2022-04-14 13:36:19 -0500 |
|---|---|---|
| committer | Matt Strapp <matt@mattstrapp.net> | 2022-04-14 13:38:04 -0500 |
| commit | b326fae5bdc21d2a2a9de1b30e34925f66749cfb (patch) | |
| tree | 63b643516a0bad462fa705863f2b09b5786deaef /src | |
| parent | Bump @types/node from 17.0.23 to 17.0.24 (#46) (diff) | |
| download | ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.gz ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.bz2 ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.lz ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.xz ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.tar.zst ee4511w-web-b326fae5bdc21d2a2a9de1b30e34925f66749cfb.zip | |
Path traversal mitigation
Signed-off-by: Matt Strapp <matt@mattstrapp.net>
Diffstat (limited to 'src')
| -rw-r--r-- | src/routes/api.ts | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/routes/api.ts b/src/routes/api.ts index 4b10121..2829a39 100644 --- a/src/routes/api.ts +++ b/src/routes/api.ts @@ -214,9 +214,7 @@ api if ((await verifyFile(path, res)) !== true) return; // Read the file and send it to the client res.type('text/csv'); - // Snyk error mitigation, should be fine since tmp is private and the simple regex above should prevent path traversal - // deepcode ignore PT: This is probably mitigated by the regex - return res.sendFile(path); + return res.sendFile(path.replace('/~', '')); }) // Fallback .all(csrf, (req: Request, res: Response) => { |