api: allow paths when writing files (#302)

This commit is contained in:
Thomas Hobson 2021-07-22 14:58:41 +12:00
parent 968390d5b6
commit 5cd84ae816
No known key found for this signature in database
GPG Key ID: 9F1FD9D87950DB6F
1 changed files with 8 additions and 1 deletions

View File

@ -59,6 +59,13 @@ class Job {
for (const file of this.files) { for (const file of this.files) {
let file_path = path.join(this.dir, file.name); let file_path = path.join(this.dir, file.name);
const rel = path.relative(this.dir, file_path);
if(rel.startsWith(".."))
throw Error(`File path "${file.name}" tries to escape parent directory: ${rel}`)
await fs.mkdir(path.dirname(file_path), {recursive: true, mode: 0o700})
await fs.chown(path.dirname(file_path), this.uid, this.gid);
await fs.write_file(file_path, file.content); await fs.write_file(file_path, file.content);
await fs.chown(file_path, this.uid, this.gid); await fs.chown(file_path, this.uid, this.gid);