Merge pull request #66 from Luen/Uncontrolled-data-used-in-path-expression

Luen · web-flow · commit c455361793b2 · 2025-08-22T14:01:09.000+10:00
Potential fix for code scanning alert no. 7: Uncontrolled data used in path expression
diff --git a/index.js b/index.js
@@ -12,6 +12,7 @@ const port = process.env.PORT || 8080
 
 const accepted = ['jpg', 'jpeg', 'png']
 const logoPath = path.join(__dirname, 'Wanderstories-logo.png')
+const imagesRoot = path.resolve(__dirname, 'content', 'images')
 
 const app = express()
 app.set('trust proxy', 1) // trust first proxy
@@ -55,9 +56,13 @@ app.use(
 const allowedOrigins = [
     'https://images.wanderstories.space',
     'https://wanderstories.space',
+    'http://localhost:8080',
 ]
 const corsOptions = {
     origin: function (origin, callback) {
+        // Allow requests with no origin (like mobile apps or curl requests)
+        if (!origin) return callback(null, true)
+
         if (allowedOrigins.includes(origin)) {
             callback(null, true)
         } else {
@@ -117,11 +122,15 @@ app.get('/content/images/*', async (req, res, next) => {
             'images',
             relativePath
         )
+        const resolvedImagePath = path.resolve(imagePath)
+        if (!resolvedImagePath.startsWith(imagesRoot + path.sep)) {
+            return res.status(403).send('Forbidden')
+        }
 
         try {
             // await fs.promises.access(imagePath, fs.constants.F_OK);
-            await fs.promises.access(imagePath)
-            return res.sendFile(imagePath)
+            await fs.promises.access(resolvedImagePath)
+            return res.sendFile(resolvedImagePath)
         } catch (err) {
             // File doesn't exist (this is expected), continue processing
             // console.error("File does not exist, proceeding with processing: ", err);
@@ -210,14 +219,14 @@ app.get('/content/images/*', async (req, res, next) => {
         const directoryPath = path.dirname(imagePath)
         try {
             await fs.promises.mkdir(directoryPath, { recursive: true })
-            await fs.promises.writeFile(imagePath, outputBuffer)
+            await fs.promises.writeFile(resolvedImagePath, outputBuffer)
         } catch (err) {
             // Handle file writing error
             // console.error("Error writing file: ", err);
             return res.status(500).send('Internal Server Error')
         }
 
-        return res.sendFile(imagePath)
+        return res.sendFile(resolvedImagePath)
     } catch (err) {
         //console.error(err);
         return res.status(500).send('Internal Server Error')
