Patch path traversal in move-files that can be used by administrator level attacker only

2024-08-27 16:19:12 -07:00 · 2024-08-27 16:19:12 -07:00 · 47a5c7126c
commit 47a5c7126c
parent f519a4b48c
5 changed files with 20 additions and 8 deletions
--- a/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx
+++ b/frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/HistoricalMessage/index.jsx
@ -98,7 +98,7 @@ const HistoricalMessage = ({
              saveChanges={saveEditedMessage}
            />
          ) : (
-            <div className={'overflow-x-scroll break-words'}>
+            <div className={"overflow-x-scroll break-words"}>
              <span
                className={`flex flex-col gap-y-1`}
                dangerouslySetInnerHTML={{
--- a/package.json
+++ b/package.json
@ -10,7 +10,7 @@
    "node": ">=18"
  },
  "scripts": {
-    "lint": "cd server && yarn lint && cd ../frontend && yarn lint && cd ../embed && yarn lint && cd ../collector && yarn lint",
+    "lint": "cd server && yarn lint && cd ../frontend && yarn lint && cd ../collector && yarn lint",
    "setup": "cd server && yarn && cd ../collector && yarn && cd ../frontend && yarn && cd .. && yarn setup:envs && yarn prisma:setup && echo \"Please run yarn dev:server, yarn dev:collector, and yarn dev:frontend in separate terminal tabs.\"",
    "setup:envs": "cp -n ./frontend/.env.example ./frontend/.env && cp -n ./server/.env.example ./server/.env.development && cp -n ./collector/.env.example ./collector/.env && cp -n ./docker/.env.example ./docker/.env && echo \"All ENV files copied!\n\"",
    "dev:server": "cd server && yarn dev",
--- a/server/endpoints/api/document/index.js
+++ b/server/endpoints/api/document/index.js
@ -686,6 +686,12 @@ function apiDocumentEndpoints(app) {
          const sourcePath = path.join(documentsPath, normalizePath(from));
          const destinationPath = path.join(documentsPath, normalizePath(to));
          return new Promise((resolve, reject) => {
            if (
              !isWithin(documentsPath, sourcePath) ||
              !isWithin(documentsPath, destinationPath)
            )
              return reject("Invalid file location");
            fs.rename(sourcePath, destinationPath, (err) => {
              if (err) {
                console.error(`Error moving file ${from} to ${to}:`, err);
--- a/server/endpoints/document.js
+++ b/server/endpoints/document.js
@ -60,6 +60,12 @@ function documentEndpoints(app) {
          const destinationPath = path.join(documentsPath, normalizePath(to));
          return new Promise((resolve, reject) => {
            if (
              !isWithin(documentsPath, sourcePath) ||
              !isWithin(documentsPath, destinationPath)
            )
              return reject("Invalid file location");
            fs.rename(sourcePath, destinationPath, (err) => {
              if (err) {
                console.error(`Error moving file ${from} to ${to}:`, err);
--- a/server/models/browserExtensionApiKey.js
+++ b/server/models/browserExtensionApiKey.js
@ -88,9 +88,9 @@ const BrowserExtensionApiKey = {
  /**
   * Gets browser keys by params
-   * @param {object} clause 
+   * @param {object} clause
-   * @param {number|null} limit 
+   * @param {number|null} limit
-   * @param {object|null} orderBy 
+   * @param {object|null} orderBy
   * @returns {Promise<import("@prisma/client").browser_extension_api_keys[]>}
   */
  where: async function (clause = {}, limit = null, orderBy = null) {
@ -111,9 +111,9 @@ const BrowserExtensionApiKey = {
  /**
   * Get browser API keys for user
   * @param {import("@prisma/client").users} user
-   * @param {object} clause 
+   * @param {object} clause
-   * @param {number|null} limit 
+   * @param {number|null} limit
-   * @param {object|null} orderBy 
+   * @param {object|null} orderBy
   * @returns {Promise<import("@prisma/client").browser_extension_api_keys[]>}
   */
  whereWithUser: async function (