fix: remote arbitrary file overwrite on file upload endpoint

2024-11-17 16:07:21 +01:00
parent 51478b6a9f
commit 6cf5c66fe2
2 changed files with 7 additions and 1 deletions
--- a/backend/src/file/file.service.ts
+++ b/backend/src/file/file.service.ts
@@ -12,6 +12,7 @@ import * as fs from "fs";
 import * as mime from "mime-types";
 import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
+import { validate as isValidUUID } from "uuid";
 import { SHARE_DIRECTORY } from "../constants";

@Injectable()
@@ -28,7 +29,11 @@ export class FileService {
    file: { id?: string; name: string },
    shareId: string,
  ) {
-    if (!file.id) file.id = crypto.randomUUID();
+    if (!file.id) {
+      file.id = crypto.randomUUID();
+    } else if (!isValidUUID(file.id)) {
+      throw new BadRequestException("Invalid file ID format");
+    }

    const share = await this.prisma.share.findUnique({
      where: { id: shareId },