From 2008db08524259264a0c8186a34fc75d7a133f5f Mon Sep 17 00:00:00 2001 From: KernelDeimos Date: Wed, 19 Jun 2024 16:54:06 -0400 Subject: [PATCH] fix: validate size metadata --- .../src/routers/filesystem_api/batch/all.js | 5 ++++- .../backend/src/routers/filesystem_api/write.js | 13 ++++++++++++- packages/backend/src/util/validutil.js | 14 ++++++++++++++ 3 files changed, 30 insertions(+), 2 deletions(-) create mode 100644 packages/backend/src/util/validutil.js diff --git a/packages/backend/src/routers/filesystem_api/batch/all.js b/packages/backend/src/routers/filesystem_api/batch/all.js index b367ed52..5b30d691 100644 --- a/packages/backend/src/routers/filesystem_api/batch/all.js +++ b/packages/backend/src/routers/filesystem_api/batch/all.js @@ -27,6 +27,7 @@ const { BatchExecutor } = require("../../../filesystem/batch/BatchExecutor"); const { TeePromise } = require("../../../util/promise"); const { EWMA, MovingMode } = require("../../../util/opmath"); const { get_app } = require('../../../helpers'); +const { valid_file_size } = require("../../../util/validutil"); const commands = require('../../../filesystem/batch/commands.js').commands; @@ -189,9 +190,11 @@ module.exports = eggspress('/batch', { if ( fieldname === 'fileinfo' ) { const fileinfo = JSON.parse(value); - if ( fileinfo.size < 0 ) { + const { v: size, ok: size_ok } = valid_file_size(fileinfo.size); + if ( ! size_ok ) { throw APIError.create('invalid_file_metadata'); } + fileinfo.size = size; fileinfos.push(fileinfo); return; } diff --git a/packages/backend/src/routers/filesystem_api/write.js b/packages/backend/src/routers/filesystem_api/write.js index 6c18ae9d..2bb289b7 100644 --- a/packages/backend/src/routers/filesystem_api/write.js +++ b/packages/backend/src/routers/filesystem_api/write.js @@ -26,6 +26,7 @@ const Busboy = require('busboy'); const { TeePromise } = require('../../util/promise.js'); const APIError = require('../../api/APIError.js'); const api_error_handler = require('../../api/api_error_handler.js'); +const { valid_file_size } = require('../../util/validutil.js'); // -----------------------------------------------------------------------// // POST /up | /write @@ -119,9 +120,19 @@ module.exports = eggspress(['/up', '/write'], { const { filename, mimetype, } = details; + + const { v: size, ok: size_ok } = + valid_file_size(req.body.size); + + if ( ! size_ok ) { + p_ready.reject( + APIError.create('invalid_file_metadata') + ); + return; + } uploaded_file = { - size: req.body.size, + size: size, name: filename, mimetype, stream, diff --git a/packages/backend/src/util/validutil.js b/packages/backend/src/util/validutil.js new file mode 100644 index 00000000..cdbdc7ac --- /dev/null +++ b/packages/backend/src/util/validutil.js @@ -0,0 +1,14 @@ +const valid_file_size = v => { + v = Number(v); + if ( ! Number.isInteger(v) ) { + return { ok: false, v }; + } + if ( ! (v >= 0) ) { + return { ok: false, v }; + } + return { ok: true, v }; +}; + +module.exports = { + valid_file_size, +};