release: 1.4.0

feat: add "creatorEmail" config bariable to share recipient email message
chore: upgrade vulnerable dependencies
2024-11-17 16:22:29 +01:00 · 2024-11-17 16:11:30 +01:00 · 2024-11-17 16:09:40 +01:00 · 2024-11-17 16:09:23 +01:00 · 2024-11-17 16:07:21 +01:00
11 changed files with 94 additions and 68 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,15 @@
+## [1.4.0](https://github.com/stonith404/pingvin-share/compare/v1.3.0...v1.4.0) (2024-11-17)
+
+
+### Features
+
+* add "creatorEmail" config bariable to share recipient email message ([c7dacb2](https://github.com/stonith404/pingvin-share/commit/c7dacb26e87504a1c5e6b0d87cdcd5ed91b9cdf5))
+
+
+### Bug Fixes
+
+* remote arbitrary file overwrite on file upload endpoint ([6cf5c66](https://github.com/stonith404/pingvin-share/commit/6cf5c66fe2eda1e0a525edf7440d047fe2f0e35b))
+
 ## [1.3.0](https://github.com/stonith404/pingvin-share/compare/v1.2.4...v1.3.0) (2024-11-14)


--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pingvin-share-backend",
-  "version": "1.3.0",
+  "version": "1.4.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "pingvin-share-backend",
-      "version": "1.3.0",
+      "version": "1.4.0",
      "dependencies": {
        "@nestjs/cache-manager": "^2.2.2",
        "@nestjs/common": "^10.4.3",
@@ -63,6 +63,7 @@
        "@types/qrcode-svg": "^1.1.5",
        "@types/sharp": "^0.32.0",
        "@types/supertest": "^6.0.2",
+        "@types/uuid": "^10.0.0",
        "@typescript-eslint/eslint-plugin": "^8.6.0",
        "@typescript-eslint/parser": "^8.6.0",
        "cross-env": "^7.0.3",
@@ -1240,13 +1241,13 @@
      }
    },
    "node_modules/@nestjs/platform-express": {
-      "version": "10.4.3",
-      "resolved": "https://registry.npmjs.org/@nestjs/platform-express/-/platform-express-10.4.3.tgz",
-      "integrity": "sha512-ss7gkofVm3eO+1P9iRhmGq6Xcjg+mIN3dWisKJZYelSV+msb0QpJmqChLvWjLkWtlqDnx915FKUk0IzCa0TVzw==",
+      "version": "10.4.8",
+      "resolved": "https://registry.npmjs.org/@nestjs/platform-express/-/platform-express-10.4.8.tgz",
+      "integrity": "sha512-bDz6wQD9LzGeK6uAAFv9l9AbrpyPwHStNObL8J95HBAXJesOblVlQMBAhdfci1YVMQUfOc36qq0IpRSa1II9Mg==",
      "dependencies": {
        "body-parser": "1.20.3",
        "cors": "2.8.5",
-        "express": "4.21.0",
+        "express": "4.21.1",
        "multer": "1.4.4-lts.1",
        "tslib": "2.7.0"
      },
@@ -1952,6 +1953,12 @@
        "@types/superagent": "^8.1.0"
      }
    },
+    "node_modules/@types/uuid": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/@types/uuid/-/uuid-10.0.0.tgz",
+      "integrity": "sha512-7gqG38EyHgyP1S+7+xomFtL+ZNHcKv6DwNaCZmJmo1vgMugyF3TCnXVg4t1uk89mLNwnLtnY3TpOpCOyp1/xHQ==",
+      "dev": true
+    },
    "node_modules/@types/validator": {
      "version": "13.11.10",
      "resolved": "https://registry.npmjs.org/@types/validator/-/validator-13.11.10.tgz",
@@ -3376,33 +3383,25 @@
      }
    },
    "node_modules/cookie": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
-      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
      "engines": {
        "node": ">= 0.6"
      }
    },
    "node_modules/cookie-parser": {
-      "version": "1.4.6",
-      "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.6.tgz",
-      "integrity": "sha512-z3IzaNjdwUC2olLIB5/ITd0/setiaFMLYiZJle7xg5Fe9KWAceil7xszYfHHBtDFYLSgJduS2Ty0P1uJdPDJeA==",
+      "version": "1.4.7",
+      "resolved": "https://registry.npmjs.org/cookie-parser/-/cookie-parser-1.4.7.tgz",
+      "integrity": "sha512-nGUvgXnotP3BsjiLX2ypbQnWoGUPIIfHQNZkkC668ntrzGWEZVW70HDEB1qnNGMicPje6EttlIgzo51YSwNQGw==",
      "dependencies": {
-        "cookie": "0.4.1",
+        "cookie": "0.7.2",
        "cookie-signature": "1.0.6"
      },
      "engines": {
        "node": ">= 0.8.0"
      }
    },
-    "node_modules/cookie-parser/node_modules/cookie": {
-      "version": "0.4.1",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.4.1.tgz",
-      "integrity": "sha512-ZwrFkGJxUR3EIoXtO+yVE69Eb7KlixbaeAWfBQB9vVsNn/o+Yw69gBWSSDK825hQNdN+wF8zELf3dFNl/kxkUA==",
-      "engines": {
-        "node": ">= 0.6"
-      }
-    },
    "node_modules/cookie-signature": {
      "version": "1.0.6",
      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz",
@@ -4157,16 +4156,16 @@
      }
    },
    "node_modules/express": {
-      "version": "4.21.0",
-      "resolved": "https://registry.npmjs.org/express/-/express-4.21.0.tgz",
-      "integrity": "sha512-VqcNGcj/Id5ZT1LZ/cfihi3ttTn+NJmkli2eZADigjq29qTlWi/hAQ43t/VLPq8+UX06FCEx3ByOYet6ZFblng==",
+      "version": "4.21.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.21.1.tgz",
+      "integrity": "sha512-YSFlK1Ee0/GC8QaO91tHcDxJiE/X4FbpAyQWkxAvG6AXCuR65YzK8ua6D9hvi/TzUfZMpc+BwuM1IPw8fmQBiQ==",
      "dependencies": {
        "accepts": "~1.3.8",
        "array-flatten": "1.1.1",
        "body-parser": "1.20.3",
        "content-disposition": "0.5.4",
        "content-type": "~1.0.4",
-        "cookie": "0.6.0",
+        "cookie": "0.7.1",
        "cookie-signature": "1.0.6",
        "debug": "2.6.9",
        "depd": "2.0.0",
@@ -4197,6 +4196,14 @@
        "node": ">= 0.10.0"
      }
    },
+    "node_modules/express/node_modules/cookie": {
+      "version": "0.7.1",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.1.tgz",
+      "integrity": "sha512-6DnInpx7SJ2AK3+CTUE/ZM0vWTUboZCegxhC2xiIydHR9jNuTAASBrfEpHhiGOZw/nX51bHt6YQl8jsGo4y/0w==",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
    "node_modules/express/node_modules/debug": {
      "version": "2.6.9",
      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pingvin-share-backend",
-  "version": "1.3.0",
+  "version": "1.4.0",
  "scripts": {
    "build": "nest build",
    "dev": "cross-env NODE_ENV=development nest start --watch",
@@ -68,6 +68,7 @@
    "@types/qrcode-svg": "^1.1.5",
    "@types/sharp": "^0.32.0",
    "@types/supertest": "^6.0.2",
+    "@types/uuid": "^10.0.0",
    "@typescript-eslint/eslint-plugin": "^8.6.0",
    "@typescript-eslint/parser": "^8.6.0",
    "cross-env": "^7.0.3",
--- a/backend/prisma/seed/config.seed.ts
+++ b/backend/prisma/seed/config.seed.ts
@@ -84,7 +84,7 @@ const configVariables: ConfigVariables = {
    shareRecipientsMessage: {
      type: "text",
      defaultValue:
-        "Hey!\n\n{creator} shared some files with you, view or download the files with this link: {shareUrl}\n\nThe share will expire {expires}.\n\nNote: {desc}\n\nShared securely with Pingvin Share 🐧",
+        "Hey!\n\n{creator} ({creatorEmail}) shared some files with you, view or download the files with this link: {shareUrl}\n\nThe share will expire {expires}.\n\nNote: {desc}\n\nShared securely with Pingvin Share 🐧",
    },
    reverseShareSubject: {
      type: "string",
--- a/backend/src/email/email.service.ts
+++ b/backend/src/email/email.service.ts
@@ -69,6 +69,7 @@ export class EmailService {
        .get("email.shareRecipientsMessage")
        .replaceAll("\\n", "\n")
        .replaceAll("{creator}", creator?.username ?? "Someone")
+        .replaceAll("{creatorEmail}", creator?.email ?? "")
        .replaceAll("{shareUrl}", shareUrl)
        .replaceAll("{desc}", description ?? "No description")
        .replaceAll(
--- a/backend/src/file/file.service.ts
+++ b/backend/src/file/file.service.ts
@@ -8,17 +8,18 @@ import {
 } from "@nestjs/common";
 import { JwtService } from "@nestjs/jwt";
 import * as crypto from "crypto";
-import * as fs from "fs";
+import { createReadStream } from "fs";
+import * as fs from "fs/promises";
 import * as mime from "mime-types";
 import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
+import { validate as isValidUUID } from "uuid";
 import { SHARE_DIRECTORY } from "../constants";

@Injectable()
 export class FileService {
  constructor(
    private prisma: PrismaService,
-    private jwtService: JwtService,
    private config: ConfigService,
  ) {}

@@ -28,7 +29,11 @@ export class FileService {
    file: { id?: string; name: string },
    shareId: string,
  ) {
-    if (!file.id) file.id = crypto.randomUUID();
+    if (!file.id) {
+      file.id = crypto.randomUUID();
+    } else if (!isValidUUID(file.id)) {
+      throw new BadRequestException("Invalid file ID format");
+    }

    const share = await this.prisma.share.findUnique({
      where: { id: shareId },
@@ -40,8 +45,8 @@ export class FileService {

    let diskFileSize: number;
    try {
-      diskFileSize = fs.statSync(
-        `${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`,
+      diskFileSize = (
+        await fs.stat(`${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`)
      ).size;
    } catch {
      diskFileSize = 0;
@@ -61,7 +66,7 @@ export class FileService {
    const buffer = Buffer.from(data, "base64");

    // Check if there is enough space on the server
-    const space = await fs.promises.statfs(SHARE_DIRECTORY);
+    const space = await fs.statfs(SHARE_DIRECTORY);
    const availableSpace = space.bavail * space.bsize;
    if (availableSpace < buffer.byteLength) {
      throw new InternalServerErrorException("Not enough space on the server");
@@ -86,19 +91,19 @@ export class FileService {
      );
    }

-    fs.appendFileSync(
+    await fs.appendFile(
      `${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`,
      buffer,
    );

    const isLastChunk = chunk.index == chunk.total - 1;
    if (isLastChunk) {
-      fs.renameSync(
+      await fs.rename(
        `${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`,
        `${SHARE_DIRECTORY}/${shareId}/${file.id}`,
      );
-      const fileSize = fs.statSync(
-        `${SHARE_DIRECTORY}/${shareId}/${file.id}`,
+      const fileSize = (
+        await fs.stat(`${SHARE_DIRECTORY}/${shareId}/${file.id}`)
      ).size;
      await this.prisma.file.create({
        data: {
@@ -120,7 +125,7 @@ export class FileService {

    if (!fileMetaData) throw new NotFoundException("File not found");

-    const file = fs.createReadStream(`${SHARE_DIRECTORY}/${shareId}/${fileId}`);
+    const file = createReadStream(`${SHARE_DIRECTORY}/${shareId}/${fileId}`);

    return {
      metaData: {
@@ -139,19 +144,19 @@ export class FileService {

    if (!fileMetaData) throw new NotFoundException("File not found");

-    fs.unlinkSync(`${SHARE_DIRECTORY}/${shareId}/${fileId}`);
+    await fs.unlink(`${SHARE_DIRECTORY}/${shareId}/${fileId}`);

    await this.prisma.file.delete({ where: { id: fileId } });
  }

  async deleteAllFiles(shareId: string) {
-    await fs.promises.rm(`${SHARE_DIRECTORY}/${shareId}`, {
+    await fs.rm(`${SHARE_DIRECTORY}/${shareId}`, {
      recursive: true,
      force: true,
    });
  }

  getZip(shareId: string) {
-    return fs.createReadStream(`${SHARE_DIRECTORY}/${shareId}/archive.zip`);
+    return createReadStream(`${SHARE_DIRECTORY}/${shareId}/archive.zip`);
  }
 }
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pingvin-share-frontend",
-  "version": "1.3.0",
+  "version": "1.4.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "pingvin-share-frontend",
-      "version": "1.3.0",
+      "version": "1.4.0",
      "dependencies": {
        "@emotion/react": "^11.13.3",
        "@emotion/server": "^11.11.0",
@@ -4357,20 +4357,20 @@
      }
    },
    "node_modules/cookie": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
-      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw==",
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
      "engines": {
        "node": ">= 0.6"
      }
    },
    "node_modules/cookies-next": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/cookies-next/-/cookies-next-4.2.1.tgz",
-      "integrity": "sha512-qsjtZ8TLlxCSX2JphMQNhkm3V3zIMQ05WrLkBKBwu50npBbBfiZWIdmSMzBGcdGKfMK19E0PIitTfRFAdMGHXg==",
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/cookies-next/-/cookies-next-4.3.0.tgz",
+      "integrity": "sha512-XxeCwLR30cWwRd94sa9X5lRCDLVujtx73tv+N0doQCFIDl83fuuYdxbu/WQUt9aSV7EJx7bkMvJldjvzuFqr4w==",
      "dependencies": {
        "@types/cookie": "^0.6.0",
-        "cookie": "^0.6.0"
+        "cookie": "^0.7.0"
      }
    },
    "node_modules/core-js-compat": {
@@ -8262,9 +8262,9 @@
      }
    },
    "node_modules/rollup": {
-      "version": "2.79.1",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.1.tgz",
-      "integrity": "sha512-uKxbd0IhMZOhjAiD5oAFp7BqvkA4Dv47qpOCtaNvng4HBwdbWtdOh8f5nZNuk2rp51PMGk3bzfWu5oayNEuYnw==",
+      "version": "2.79.2",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz",
+      "integrity": "sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==",
      "bin": {
        "rollup": "dist/bin/rollup"
      },
@@ -13067,17 +13067,17 @@
      }
    },
    "cookie": {
-      "version": "0.6.0",
-      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.6.0.tgz",
-      "integrity": "sha512-U71cyTamuh1CRNCfpGY6to28lxvNwPG4Guz/EVjgf3Jmzv0vlDp1atT9eS5dDjMYHucpHbWns6Lwf3BKz6svdw=="
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w=="
    },
    "cookies-next": {
-      "version": "4.2.1",
-      "resolved": "https://registry.npmjs.org/cookies-next/-/cookies-next-4.2.1.tgz",
-      "integrity": "sha512-qsjtZ8TLlxCSX2JphMQNhkm3V3zIMQ05WrLkBKBwu50npBbBfiZWIdmSMzBGcdGKfMK19E0PIitTfRFAdMGHXg==",
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/cookies-next/-/cookies-next-4.3.0.tgz",
+      "integrity": "sha512-XxeCwLR30cWwRd94sa9X5lRCDLVujtx73tv+N0doQCFIDl83fuuYdxbu/WQUt9aSV7EJx7bkMvJldjvzuFqr4w==",
      "requires": {
        "@types/cookie": "^0.6.0",
-        "cookie": "^0.6.0"
+        "cookie": "^0.7.0"
      }
    },
    "core-js-compat": {
@@ -15850,9 +15850,9 @@
      }
    },
    "rollup": {
-      "version": "2.79.1",
-      "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.1.tgz",
-      "integrity": "sha512-uKxbd0IhMZOhjAiD5oAFp7BqvkA4Dv47qpOCtaNvng4HBwdbWtdOh8f5nZNuk2rp51PMGk3bzfWu5oayNEuYnw==",
+      "version": "2.79.2",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-2.79.2.tgz",
+      "integrity": "sha512-fS6iqSPZDs3dr/y7Od6y5nha8dW1YnbgtsyotCVvoFGKbERG++CVRFv1meyGDE1SNItQA8BrnCw7ScdAhRJ3XQ==",
      "requires": {
        "fsevents": "~2.3.2"
      }
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pingvin-share-frontend",
-  "version": "1.3.0",
+  "version": "1.4.0",
  "scripts": {
    "dev": "next dev",
    "build": "next build",
--- a/frontend/src/i18n/translations/en-US.ts
+++ b/frontend/src/i18n/translations/en-US.ts
@@ -438,7 +438,7 @@ export default {
    "Subject of the email which gets sent to the share recipients.",
  "admin.config.email.share-recipients-message": "Share recipients message",
  "admin.config.email.share-recipients-message.description":
-    "Message which gets sent to the share recipients. Available variables:\n {creator} - The username of the creator of the share\n {shareUrl} - The URL of the share\n {desc} - The description of the share\n {expires} - The expiration date of the share\n These variables will be replaced with the actual value.",
+    "Message which gets sent to the share recipients. Available variables:\n {creator} - The username of the creator of the share\n {creatorEmail} - The email of the creator of the share\n {shareUrl} - The URL of the share\n {desc} - The description of the share\n {expires} - The expiration date of the share\n These variables will be replaced with the actual value.",
  "admin.config.email.reverse-share-subject": "Reverse share subject",
  "admin.config.email.reverse-share-subject.description":
    "Subject of the sent email when someone created a share with your reverse share link.",
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pingvin-share",
-  "version": "1.3.0",
+  "version": "1.4.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "pingvin-share",
-      "version": "1.3.0",
+      "version": "1.4.0",
      "devDependencies": {
        "conventional-changelog-cli": "^3.0.0"
      }
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pingvin-share",
-  "version": "1.3.0",
+  "version": "1.4.0",
  "scripts": {
    "format": "cd frontend && npm run format && cd ../backend && npm run format",
    "lint": "cd frontend && npm run lint && cd ../backend && npm run lint",
Author	SHA1	Message	Date
Elias Schneider	18d8cbbbab	release: 1.4.0	2024-11-17 16:22:29 +01:00
Elias Schneider	c7dacb26e8	feat: add "creatorEmail" config bariable to share recipient email message	2024-11-17 16:11:30 +01:00
Elias Schneider	b6d98c7c42	chore: upgrade vulnerable dependencies	2024-11-17 16:09:40 +01:00
Elias Schneider	c52ec71920	refactor: use fs promises in file service	2024-11-17 16:09:23 +01:00
Elias Schneider	6cf5c66fe2	fix: remote arbitrary file overwrite on file upload endpoint	2024-11-17 16:07:21 +01:00