Security improvements: protect from directory traversal and iFrame content injection
This commit is contained in:
parent
7b3665da6e
commit
c223589add
@ -1,6 +1,8 @@
|
|||||||
//This file is only for saving the whiteboard.
|
//This file is only for saving the whiteboard.
|
||||||
const fs = require("fs");
|
const fs = require("fs");
|
||||||
|
const path = require("path");
|
||||||
const config = require("./config/config");
|
const config = require("./config/config");
|
||||||
|
const FILE_DATABASE_FOLDER = "savedBoards";
|
||||||
|
|
||||||
var savedBoards = {};
|
var savedBoards = {};
|
||||||
var savedUndos = {};
|
var savedUndos = {};
|
||||||
@ -144,7 +146,13 @@ module.exports = {
|
|||||||
// try to load from DB
|
// try to load from DB
|
||||||
if (config.backend.enableFileDatabase) {
|
if (config.backend.enableFileDatabase) {
|
||||||
//read saved board from file
|
//read saved board from file
|
||||||
var filePath = "savedBoards/" + wid + ".json";
|
var fileName = wid + ".json";
|
||||||
|
var filePath = FILE_DATABASE_FOLDER + "/" + fileName;
|
||||||
|
if(path.dirname(filePath) !== FILE_DATABASE_FOLDER || path.basename(fileName) !== fileName) {
|
||||||
|
var errorMessage = "Attempted path traversal attack: ";
|
||||||
|
console.log(errorMessage, filePath);
|
||||||
|
throw new Error(errorMessage + filePath);
|
||||||
|
}
|
||||||
if (fs.existsSync(filePath)) {
|
if (fs.existsSync(filePath)) {
|
||||||
var data = fs.readFileSync(filePath);
|
var data = fs.readFileSync(filePath);
|
||||||
if (data) {
|
if (data) {
|
||||||
|
@ -907,7 +907,7 @@ function initWhiteboard() {
|
|||||||
|
|
||||||
// handle pasting from clipboard
|
// handle pasting from clipboard
|
||||||
window.addEventListener("paste", function (e) {
|
window.addEventListener("paste", function (e) {
|
||||||
if ($(".basicalert").length > 0) {
|
if ($(".basicalert").length > 0 || !!e.origin) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if (e.clipboardData) {
|
if (e.clipboardData) {
|
||||||
|
Loading…
x
Reference in New Issue
Block a user