Add support for adding file names. Experimental.

This commit is contained in:
hippoz 2020-10-03 18:53:43 +03:00
parent 27be96572b
commit 46b8d91c1e
3 changed files with 43 additions and 5 deletions

View file

@ -13,9 +13,6 @@ app.set('view engine', 'ejs')
app.use(express.urlencoded({ extended: false })); app.use(express.urlencoded({ extended: false }));
app.use(express.json()); app.use(express.json());
app.get('/', (req, res) => {
res.render('upload');
});
const isPathValid = (filename, filePath) => { const isPathValid = (filename, filePath) => {
if (!filename) { if (!filename) {
@ -26,6 +23,10 @@ const isPathValid = (filename, filePath) => {
return false; return false;
} }
if (!/[A-Za-z1-9.]+/g.test(filename)) {
return false;
}
if (filePath.indexOf(config.storagePath) !== 0) { if (filePath.indexOf(config.storagePath) !== 0) {
return false; return false;
} }
@ -33,6 +34,22 @@ const isPathValid = (filename, filePath) => {
return true; return true;
}; };
const isFilenameValid = (filename) => {
if (!filename) {
return false;
}
if (filename.indexOf('\0') !== -1 || filename.indexOf('%') !== -1 || filename.indexOf('..') !== -1 || filename.indexOf('&') !== -1) {
return false;
}
if (!/[A-Za-z1-9.]+/g.test(filename)) {
return false;
}
return true;
};
const getFileType = (filename) => { const getFileType = (filename) => {
const extension = path.extname(filename).substring(1); const extension = path.extname(filename).substring(1);
let type = config.files.embed[extension]; let type = config.files.embed[extension];
@ -44,6 +61,14 @@ const getFileType = (filename) => {
return type; return type;
}; };
app.get('/', (req, res) => {
res.render('upload');
});
app.get('/file/:filename', (req, res) => { app.get('/file/:filename', (req, res) => {
const filename = req.params.filename; const filename = req.params.filename;
const filePath = path.join(config.storagePath, filename); const filePath = path.join(config.storagePath, filename);
@ -75,6 +100,7 @@ app.get('/file/:filename', (req, res) => {
app.post('/api/upload', (req, res) => { app.post('/api/upload', (req, res) => {
const password = req.body.password; const password = req.body.password;
const chosenFileName = req.body.filename;
if (config.passwords.indexOf(password) === -1) { if (config.passwords.indexOf(password) === -1) {
return res.status(401).render('uploadfailed', { message: 'The password you entered is not correct.' }); return res.status(401).render('uploadfailed', { message: 'The password you entered is not correct.' });
@ -85,7 +111,16 @@ app.post('/api/upload', (req, res) => {
} }
const file = req.files.file; const file = req.files.file;
const filepath = `${config.storagePath}/${file.name}`;
if (!isFilenameValid(chosenFileName)) {
return res.status(400).render('uploadfailed', { message: 'Invalid name.' });
}
const filepath = path.join(config.storagePath, chosenFileName);
if (!isFilenameValid(file.name) || !isPathValid(chosenFileName, filepath)) {
return res.status(400).render('uploadfailed', { message: 'Invalid name.' });
}
fs.stat(filepath, (err) => { fs.stat(filepath, (err) => {
if(err == null) { if(err == null) {
@ -93,7 +128,7 @@ app.post('/api/upload', (req, res) => {
} else if(err.code === 'ENOENT') { } else if(err.code === 'ENOENT') {
file.mv(filepath, (err) => { file.mv(filepath, (err) => {
if (err) return res.status(500).render('uploadfailed', { message: 'Something went wrong while uploading the file.' }); if (err) return res.status(500).render('uploadfailed', { message: 'Something went wrong while uploading the file.' });
res.render('uploaded', { file: { name: file.name } }); res.render('uploaded', { file: { name: chosenFileName } });
}); });
} else { } else {
return res.status(500).render('uploadfailed', { message: 'Something went wrong.' });; return res.status(500).render('uploadfailed', { message: 'Something went wrong.' });;

View file

@ -10,6 +10,7 @@
<p>i think</p> <p>i think</p>
<form action='/api/upload' method="POST" enctype="multipart/form-data"> <form action='/api/upload' method="POST" enctype="multipart/form-data">
Password: <input type="password" name="password"> </br> Password: <input type="password" name="password"> </br>
File name: <input type="text" name="filename"> </br>
<input type="file" name="file"/> </br> <input type="file" name="file"/> </br>
<input type='submit' value='Upload!'/> <input type='submit' value='Upload!'/>
</form> </form>

View file

@ -9,5 +9,7 @@
<h1>upload failed</h1> <h1>upload failed</h1>
<p>i think</p> <p>i think</p>
<p><%= message %></p> <p><%= message %></p>
<br>
<a href="/">Go back</a>
</body> </body>
</html> </html>