frodovdr/node-red
1
0
Fork 0
mirror of https://github.com/node-red/node-red.git synced 2025-03-01 10:36:34 +00:00
Code Issues Packages Projects Releases Wiki Activity

Prohibit library entry names from containing '../'.

Browse Source
This commit is contained in:
Mark Hindess
2014-07-29 13:51:21 +01:00
parent bc8ea998bb
commit b7428ab627
4 changed files with 85 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
red/storage/index.js
View File

@@ -33,6 +33,10 @@ function moduleSelector(aSettings) {
return toReturn;
}
function is_malicious(path) {
return path.indexOf('../') != -1 || path.indexOf('..\\') != -1;
}
var storageModuleInterface = {
init : function(settings) {
try {
@@ -58,15 +62,27 @@ var storageModuleInterface = {
return storageModule.getAllFlows();
},
getFlow : function(fn) {
if (is_malicious(fn)) {
return when.reject(new Error('forbidden flow name'));
}
return storageModule.getFlow(fn);
},
saveFlow : function(fn, data) {
if (is_malicious(fn)) {
return when.reject(new Error('forbidden flow name'));
}
return storageModule.saveFlow(fn, data);
},
getLibraryEntry : function(type, path) {
if (is_malicious(path)) {
return when.reject(new Error('forbidden flow name'));
}
return storageModule.getLibraryEntry(type, path);
},
saveLibraryEntry : function(type, path, meta, body) {
if (is_malicious(path)) {
return when.reject(new Error('forbidden flow name'));
}
return storageModule.saveLibraryEntry(type, path, meta, body);
}
}