From 6a4bc777a2eb2ba2d4570c3b2e1f13cd46b3f2cf Mon Sep 17 00:00:00 2001
From: Pablo Diz <87752439+pablodre@users.noreply.github.com>
Date: Sun, 31 Mar 2024 16:47:03 +0200
Subject: [PATCH] Fix external library path validation #8319 (#8366)

* Fix isImmichPath

* prettier write

* Fis isImmichPath code comment

* Refactor isImmichPath function based on team suggestions

* Test isImmichPath

* fix: clean comments

* Refactor isImmichPath test based on team suggestions

* Clean code with lintern suggestions
---
 server/src/cores/storage.core.spec.ts | 29 +++++++++++++++++++++++++++
 server/src/cores/storage.core.ts      |  8 +++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 server/src/cores/storage.core.spec.ts

diff --git a/server/src/cores/storage.core.spec.ts b/server/src/cores/storage.core.spec.ts
new file mode 100644
index 000000000..16258f095
--- /dev/null
+++ b/server/src/cores/storage.core.spec.ts
@@ -0,0 +1,29 @@
+import { StorageCore } from 'src/cores/storage.core';
+
+jest.mock('src/constants', () => ({
+  APP_MEDIA_LOCATION: '/photos',
+}));
+
+describe('StorageCore', () => {
+  describe('isImmichPath', () => {
+    it('should return true for APP_MEDIA_LOCATION path', () => {
+      const immichPath = '/photos';
+      expect(StorageCore.isImmichPath(immichPath)).toBe(true);
+    });
+
+    it('should return true for paths within the APP_MEDIA_LOCATION', () => {
+      const immichPath = '/photos/new/';
+      expect(StorageCore.isImmichPath(immichPath)).toBe(true);
+    });
+
+    it('should return false for paths outside the APP_MEDIA_LOCATION and same starts', () => {
+      const nonImmichPath = '/photos_new';
+      expect(StorageCore.isImmichPath(nonImmichPath)).toBe(false);
+    });
+
+    it('should return false for paths outside the APP_MEDIA_LOCATION', () => {
+      const nonImmichPath = '/some/other/path';
+      expect(StorageCore.isImmichPath(nonImmichPath)).toBe(false);
+    });
+  });
+});
diff --git a/server/src/cores/storage.core.ts b/server/src/cores/storage.core.ts
index b9dad8642..ee9f12e51 100644
--- a/server/src/cores/storage.core.ts
+++ b/server/src/cores/storage.core.ts
@@ -115,7 +115,13 @@ export class StorageCore {
   }
 
   static isImmichPath(path: string) {
-    return resolve(path).startsWith(resolve(APP_MEDIA_LOCATION));
+    const resolvedPath = resolve(path);
+    const resolvedAppMediaLocation = resolve(APP_MEDIA_LOCATION);
+    const normalizedPath = resolvedPath.endsWith('/') ? resolvedPath : resolvedPath + '/';
+    const normalizedAppMediaLocation = resolvedAppMediaLocation.endsWith('/')
+      ? resolvedAppMediaLocation
+      : resolvedAppMediaLocation + '/';
+    return normalizedPath.startsWith(normalizedAppMediaLocation);
   }
 
   static isGeneratedAsset(path: string) {