marcogll/TaxHacker_s23
1
0
Fork 0
mirror of https://github.com/marcogll/TaxHacker_s23.git synced 2026-01-13 13:25:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: safer backups

Browse Source
This commit is contained in:
Vasily Zubarev
2025-04-04 14:52:48 +02:00
parent 1b1d72b22d
commit 48cb9c50cb
5 changed files with 18 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
app/(app)/settings/backups/actions.ts
View File

@@ -10,6 +10,7 @@ import path from "path"
const SUPPORTED_BACKUP_VERSIONS = ["1.0"]
const REMOVE_EXISTING_DATA = true
const MAX_BACKUP_SIZE = 256 * 1024 * 1024 // 256MB
export async function restoreBackupAction(prevState: any, formData: FormData) {
const user = await getCurrentUser()
@@ -20,6 +21,10 @@ export async function restoreBackupAction(prevState: any, formData: FormData) {
return { success: false, error: "No file provided" }
}
if (file.size > MAX_BACKUP_SIZE) {
return { success: false, error: `Backup file too large. Maximum size is ${MAX_BACKUP_SIZE / 1024 / 1024}MB` }
}
// Read zip archive
let zip: JSZip
try {
@@ -88,7 +93,7 @@ export async function restoreBackupAction(prevState: any, formData: FormData) {
const userUploadsDirectory = await getUserUploadsDirectory(user)
for (const file of files) {
const filePathWithoutPrefix = file.path.replace(/^.*\/uploads\//, "")
const filePathWithoutPrefix = path.normalize(file.path.replace(/^.*\/uploads\//, ""))
const zipFilePath = path.join("data/uploads", filePathWithoutPrefix)
const zipFile = zip.file(zipFilePath)
if (!zipFile) {
@@ -96,12 +101,16 @@ export async function restoreBackupAction(prevState: any, formData: FormData) {
continue
}
const fileContents = await zipFile.async("nodebuffer")
const fullFilePath = path.join(userUploadsDirectory, filePathWithoutPrefix)
const fileContent = await zipFile.async("nodebuffer")
if (!fullFilePath.startsWith(path.normalize(userUploadsDirectory))) {
console.error(`Attempted path traversal detected for file ${file.path}`)
continue
}
try {
await fs.mkdir(path.dirname(fullFilePath), { recursive: true })
await fs.writeFile(fullFilePath, fileContent)
await fs.writeFile(fullFilePath, fileContents)
restoredFilesCount++
} catch (error) {
console.error(`Error writing file ${fullFilePath}:`, error)