add some fancy magic :kekw:

2026-04-25 08:53:46 +02:00 · 2025-10-13 18:21:23 +02:00
parent 2e59c1f5e7
commit 22badaf535
15 changed files with 1328 additions and 786 deletions
--- a/lib/file_storage.js
+++ b/lib/file_storage.js
@@ -1,38 +1,75 @@
-var fs = require('fs');
-var crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');

-var logger = require('winston');
+// A simple key regex to prevent path traversal
+const validKeyRegex = /^[a-zA-Z0-9]+$/;

 // handles saving and retrieving all documents
-var FileDocumentStore = function(options) {
-	this.basePath = options.path || './data';
-	logger.info('Path to data: ' + this.basePath);
-};
+class FileDocumentStore {
+    constructor(options) {
+        this.basePath = options.path || './data';
+        this.logger = options.logger;
+        this.logger.info('Path to data: ' + this.basePath);
+        // Create directory if it does not exist
+        if (!fs.existsSync(this.basePath)) {
+            fs.mkdirSync(this.basePath, { recursive: true, mode: '700' });
+        }
+    }

-// saves a new file to the filesystem
-FileDocumentStore.prototype.set = function(key, data, callback) {
-	var _this = this;
-	fs.mkdir(this.basePath, '700', function(err) {
-		fs.writeFile(_this.basePath + '/' + key, data, 'utf8', function(err) {
-			if (err) {
-				callback(false);
-			} else {
-				callback(true);
-			}
-		});
-	});
-};
+    // saves a new file to the filesystem
+    set(key, data, callback) {
+        if (!validKeyRegex.test(key)) {
+            this.logger.warn(`Invalid key provided for set: ${key}`);
+            return callback(false);
+        }

-// gets an exisiting file from the filesystem
-FileDocumentStore.prototype.get = function(key, callback) {
-	var _this = this;
-	fs.readFile(this.basePath + '/' + key, 'utf8', function(err, data) {
-		if (err) {
-			callback(false);
-		} else {
-			callback(data);
-		}
-	});
-};
+        const resolvedBasePath = path.resolve(this.basePath);
+        const filePath = path.resolve(resolvedBasePath, key);

-module.exports = FileDocumentStore;
+        // Security check to ensure we are not writing outside of the data directory
+        if (path.dirname(filePath) !== resolvedBasePath) {
+            this.logger.error(`Path traversal attempt detected for key: ${key}`);
+            return callback(false);
+        }
+
+        fs.writeFile(filePath, data, 'utf8', (err) => {
+            if (err) {
+                this.logger.error('Error writing file:', err);
+                callback(false);
+            } else {
+                callback(true);
+            }
+        });
+    }
+
+    // gets an existing file from the filesystem
+    get(key, callback) {
+        if (!validKeyRegex.test(key)) {
+            this.logger.warn(`Invalid key provided for get: ${key}`);
+            return callback(false);
+        }
+
+        const resolvedBasePath = path.resolve(this.basePath);
+        const filePath = path.resolve(resolvedBasePath, key);
+
+        // Security check to ensure we are not reading outside of the data directory
+        if (path.dirname(filePath) !== resolvedBasePath) {
+            this.logger.error(`Path traversal attempt detected for key: ${key}`);
+            return callback(false);
+        }
+
+        fs.readFile(filePath, 'utf8', (err, data) => {
+            if (err) {
+                // Don't log error if file just doesn't exist
+                if (err.code !== 'ENOENT') {
+                    this.logger.error('Error reading file:', err);
+                }
+                callback(false);
+            } else {
+                callback(data);
+            }
+        });
+    }
+}
+
+module.exports = FileDocumentStore;