MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

handle different content-disposition and potential path traversal

This commit is contained in:
Peter Clement 2024-03-15 09:59:20 +00:00
parent aa89f075cd
commit c9d88e7d26
4 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
packages/backend-core/src/objectStore/utils.ts
View File

@ -37,7 +37,7 @@ export const bucketTTLConfig = (
days: number days: number
): PutBucketLifecycleConfigurationRequest => { ): PutBucketLifecycleConfigurationRequest => {
const lifecycleRule = { const lifecycleRule = {
ID: "ExpireAfterOneDay", ID: `${bucketName}-ExpireAfterOneDay`,
Prefix: "", Prefix: "",
Status: "Enabled", Status: "Enabled",
Expiration: { Expiration: {

1
packages/server/package.json
View File

@ -67,6 +67,7 @@
"bcryptjs": "2.4.3", "bcryptjs": "2.4.3",
"bull": "4.10.1", "bull": "4.10.1",
"chokidar": "3.5.3", "chokidar": "3.5.3",
"content-disposition": "^0.5.4",
"cookies": "0.8.0", "cookies": "0.8.0",
"csvtojson": "2.0.10", "csvtojson": "2.0.10",
"curlconverter": "3.21.0", "curlconverter": "3.21.0",

7
packages/server/src/integrations/rest.ts
View File

@ -22,6 +22,8 @@ import FormData from "form-data"
import { URLSearchParams } from "url" import { URLSearchParams } from "url"
import { blacklist } from "@budibase/backend-core" import { blacklist } from "@budibase/backend-core"
import { handleFileResponse, handleXml } from "./utils" import { handleFileResponse, handleXml } from "./utils"
import { parse } from "content-disposition"
import path from "path"
const BodyTypes = { const BodyTypes = {
NONE: "none", NONE: "none",
@ -134,9 +136,8 @@ class RestIntegration implements IntegrationBase {
const contentType = response.headers.get("content-type") || "" const contentType = response.headers.get("content-type") || ""
const contentDisposition = response.headers.get("content-disposition") || "" const contentDisposition = response.headers.get("content-disposition") || ""
const matches = filename =
/filename[^;=\n]*=((['"]).*?\2|[^;\n]*)/.exec(contentDisposition) || [] path.basename(parse(contentDisposition).parameters?.filename) || ""
filename = matches[1]?.replace(/['"]/g, "") || ""
try { try {
if (filename) { if (filename) {

2
yarn.lock
View File

@ -8570,7 +8570,7 @@ consolidate@^0.16.0:
dependencies: dependencies:
bluebird "^3.7.2" bluebird "^3.7.2"
content-disposition@^0.5.2, content-disposition@^0.5.3, content-disposition@~0.5.2: content-disposition@^0.5.2, content-disposition@^0.5.3, content-disposition@^0.5.4, content-disposition@~0.5.2:
version "0.5.4" version "0.5.4"
resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.4.tgz#8b82b4efac82512a02bb0b1dcec9d2c5e8eb5bfe" resolved "https://registry.yarnpkg.com/content-disposition/-/content-disposition-0.5.4.tgz#8b82b4efac82512a02bb0b1dcec9d2c5e8eb5bfe"
integrity sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ== integrity sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==