From b326fae5bdc21d2a2a9de1b30e34925f66749cfb Mon Sep 17 00:00:00 2001 From: Matt Strapp Date: Thu, 14 Apr 2022 13:36:19 -0500 Subject: Path traversal mitigation Signed-off-by: Matt Strapp --- src/routes/api.ts | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'src') diff --git a/src/routes/api.ts b/src/routes/api.ts index 4b10121..2829a39 100644 --- a/src/routes/api.ts +++ b/src/routes/api.ts @@ -214,9 +214,7 @@ api if ((await verifyFile(path, res)) !== true) return; // Read the file and send it to the client res.type('text/csv'); - // Snyk error mitigation, should be fine since tmp is private and the simple regex above should prevent path traversal - // deepcode ignore PT: This is probably mitigated by the regex - return res.sendFile(path); + return res.sendFile(path.replace('/~', '')); }) // Fallback .all(csrf, (req: Request, res: Response) => { -- cgit v1.2.3