Bugfix: Check for relative path when saving file, to prevent unauthorised writes (#3172)

* Check for relative path when saving file, to prevent unauthorised writes * preventing relative paths for all modes (s3/local) * preventing relative paths for all modes (s3/local) * Update storageUtils.ts * changing the code to sanitizing filenames. * fix lock file --------- Co-authored-by: Henry Heng <henryheng@flowiseai.com> Co-authored-by: Henry <hzj94@hotmail.com>
2026-06-28 21:00:58 +03:00 · 2024-09-14 18:28:52 +05:30
parent 0420ff2af3
commit 8bd3de4153
3 changed files with 60 additions and 16 deletions
@@ -374,6 +374,9 @@ importers:
            replicate:
                specifier: ^0.31.1
                version: 0.31.1
+            sanitize-filename:
+                specifier: ^1.6.3
+                version: 1.6.3
            socket.io:
                specifier: ^4.6.1
                version: 4.7.4(bufferutil@4.0.8)(utf-8-validate@6.0.4)
@@ -14616,6 +14619,9 @@ packages:
    safer-buffer@2.1.2:
        resolution: { integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg== }

+    sanitize-filename@1.6.3:
+        resolution: { integrity: sha512-y/52Mcy7aw3gRm7IrcGDFx/bCk4AhRh2eI9luHOQM86nZsqwiRkkq2GekHXBBD+SmPidc8i2PqtYZl+pWJ8Oeg== }
+
    sanitize-html@2.12.1:
        resolution: { integrity: sha512-Plh+JAn0UVDpBRP/xEjsk+xDCoOvMBwQUf/K+/cBAVuTbtX8bj2VB7S1sL1dssVpykqp0/KPSesHrqXtokVBpA== }

@@ -15733,6 +15739,9 @@ packages:
    trough@2.2.0:
        resolution: { integrity: sha512-tmMpK00BjZiUyVyvrBK7knerNgmgvcV/KLVyuma/SC+TQN167GrMRciANTz09+k3zW8L8t60jWO1GpfkZdjTaw== }

+    truncate-utf8-bytes@1.0.2:
+        resolution: { integrity: sha512-95Pu1QXQvruGEhv62XCMO3Mm90GscOCClvrIUwCM0PYOXK3kaF3l3sIHxx71ThJfcbM2O5Au6SO3AWCSEfW4mQ== }
+
    tryer@1.0.1:
        resolution: { integrity: sha512-c3zayb8/kWWpycWYg87P71E1S1ZL6b6IJxfb5fvsUgsf0S2MVGaDhDXXjDMpdCpfWXqptc+4mXwmiy1ypXqRAA== }

@@ -16232,6 +16241,9 @@ packages:
        resolution: { integrity: sha512-xu9GQDeFp+eZ6LnCywXN/zBancWvOpUMzgjLPSjy4BRHSmTelvn2E0DG0o1sTiw5hkCKBHo8rwSKncfRfv2EEQ== }
        engines: { node: '>=6.14.2' }

+    utf8-byte-length@1.0.5:
+        resolution: { integrity: sha512-Xn0w3MtiQ6zoz2vFyUVruaCL53O/DwUvkEeOvj+uulMm0BkUGYWmBYVyElqZaSLhY6ZD0ulfU3aBra2aVT4xfA== }
+
    util-deprecate@1.0.2:
        resolution: { integrity: sha512-EPD5q1uXyFxJpCrLnCc1nHnq3gOa6DZBocAIiI2TaSCA7VCJ1UJDMagCzIkXNsUYfD1daK//LTEQ8xiIbrHtcw== }

@@ -35448,6 +35460,10 @@ snapshots:

    safer-buffer@2.1.2: {}

+    sanitize-filename@1.6.3:
+        dependencies:
+            truncate-utf8-bytes: 1.0.2
+
    sanitize-html@2.12.1:
        dependencies:
            deepmerge: 4.3.1
@@ -36815,6 +36831,10 @@ snapshots:

    trough@2.2.0: {}

+    truncate-utf8-bytes@1.0.2:
+        dependencies:
+            utf8-byte-length: 1.0.5
+
    tryer@1.0.1: {}

    ts-api-utils@1.3.0(typescript@5.5.2):
@@ -37330,6 +37350,8 @@ snapshots:
            node-gyp-build: 4.8.1
        optional: true

+    utf8-byte-length@1.0.5: {}
+
    util-deprecate@1.0.2: {}

    util.promisify@1.0.1: