From f84bdc14d52e33d37f7db25b44adfebc83467d7c Mon Sep 17 00:00:00 2001 From: izzy Date: Mon, 24 Nov 2025 14:30:49 +0000 Subject: [PATCH] chore: additional filename validation --- server/src/services/maintenance.service.ts | 6 +++--- server/src/validation.ts | 3 +++ 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/server/src/services/maintenance.service.ts b/server/src/services/maintenance.service.ts index 56da5ff4a2..eef508c3c6 100644 --- a/server/src/services/maintenance.service.ts +++ b/server/src/services/maintenance.service.ts @@ -1,5 +1,5 @@ import { BadRequestException, Injectable } from '@nestjs/common'; -import { join } from 'node:path'; +import { basename, join } from 'node:path'; import { StorageCore } from 'src/cores/storage.core'; import { OnEvent } from 'src/decorators'; import { MaintenanceAuthDto, SetMaintenanceModeDto } from 'src/dtos/maintenance.dto'; @@ -82,7 +82,7 @@ export class MaintenanceService extends BaseService { } async deleteBackup(filename: string): Promise { - return deleteBackup(this.backupRepos, filename); + return deleteBackup(this.backupRepos, basename(filename)); } async uploadBackup(file: Express.Multer.File): Promise { @@ -94,7 +94,7 @@ export class MaintenanceService extends BaseService { throw new BadRequestException('Invalid backup name!'); } - return join(StorageCore.getBaseFolder(StorageFolder.Backups), filename); + return join(StorageCore.getBaseFolder(StorageFolder.Backups), basename(filename)); } private get backupRepos() { diff --git a/server/src/validation.ts b/server/src/validation.ts index 7dfb233780..025cb3982c 100644 --- a/server/src/validation.ts +++ b/server/src/validation.ts @@ -100,6 +100,9 @@ export class FilenameParamDto { @IsNotEmpty() @IsString() @ApiProperty({ format: 'string' }) + @Matches(/^[a-zA-Z0-9_\-\.]+$/, { + message: 'Filename contains invalid characters', + }) filename!: string; }