Cutlery/audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-11-04 03:17:00 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix filesystem pathexists path join

Browse Source
This commit is contained in:
advplyr 2025-06-10 17:02:42 -05:00
parent 6968a5c02a
commit 0135b3560c
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
server/controllers/FileSystemController.js
View File

@ -89,7 +89,6 @@ class FileSystemController {
} }
const { directory, folderPath } = req.body const { directory, folderPath } = req.body
if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') { if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') {
Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`) Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`)
return res.status(400).json({ return res.status(400).json({
@ -109,7 +108,8 @@ class FileSystemController {
return res.sendStatus(404) return res.sendStatus(404)
} }
const filepath = Path.posix.join(libraryFolder.path, directory) const filepath = Path.join(libraryFolder.path, directory)
// Ensure filepath is inside library folder (prevents directory traversal) // Ensure filepath is inside library folder (prevents directory traversal)
if (!filepath.startsWith(libraryFolder.path)) { if (!filepath.startsWith(libraryFolder.path)) {
Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`) Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`)