mirror/advplyr.audiobookshelf
1
0
Fork 0
mirror of https://github.com/advplyr/audiobookshelf.git synced 2025-06-21 00:26:01 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Merge pull request #4393 from advplyr/fix_pathexists_join
Some checks are pending
CodeQL / Analyze (push) Waiting to run
Details
Build and Push Docker Image / build (push) Waiting to run
Details
Integration Test / build and test (push) Waiting to run
Details
Run Unit Tests / Run Unit Tests (push) Waiting to run
Details

Browse source 
Fix filesystem pathexists path join
This commit is contained in:
advplyr 2025-06-10 17:20:23 -05:00 committed by GitHub
commit 7a33a412fc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/controllers/FileSystemController.js
View file

@ -89,7 +89,6 @@ class FileSystemController {
}
const { directory, folderPath } = req.body
if (!directory?.length || typeof directory !== 'string' || !folderPath?.length || typeof folderPath !== 'string') {
Logger.error(`[FileSystemController] Invalid request body: ${JSON.stringify(req.body)}`)
return res.status(400).json({
@ -109,7 +108,8 @@ class FileSystemController {
return res.sendStatus(404)
}
const filepath = Path.posix.join(libraryFolder.path, directory)
const filepath = Path.join(libraryFolder.path, directory)
// Ensure filepath is inside library folder (prevents directory traversal)
if (!filepath.startsWith(libraryFolder.path)) {
Logger.error(`[FileSystemController] Filepath is not inside library folder: ${filepath}`)