vbrandl/fotochallenge
Archived
1
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases Activity

Compare commits

base: vbrandl:v0.0.3
Branches Tags
vbrandl:main vbrandl:renovate/sveltejs-vite-plugin-svelte-4.x vbrandl:renovate/svelte-5.x vbrandl:renovate/lock-file-maintenance
vbrandl:v0.0.8 vbrandl:v0.0.7 vbrandl:v0.0.6 vbrandl:v0.0.5 vbrandl:v0.0.4 vbrandl:v0.0.3 vbrandl:v0.0.2 vbrandl:v0.0.1
..
compare: vbrandl:v0.0.5
Branches Tags
vbrandl:main vbrandl:renovate/sveltejs-vite-plugin-svelte-4.x vbrandl:renovate/svelte-5.x vbrandl:renovate/lock-file-maintenance
vbrandl:v0.0.8 vbrandl:v0.0.7 vbrandl:v0.0.6 vbrandl:v0.0.5 vbrandl:v0.0.4 vbrandl:v0.0.3 vbrandl:v0.0.2 vbrandl:v0.0.1

10 Commits
v0.0.3 ... v0.0.5

Author SHA1 Message Date
Valentin Brandl
4b8ecc65c3 0.0.5
All checks were successful
Publish / lints (push) Successful in 25s
Details
Publish / tests (push) Successful in 51s
Details
Publish / Publishing (push) Successful in 1m9s
Details
/ Misc Linters (push) Successful in 26s
Details
/ Build App (push) Successful in 1m1s
Details
2024-08-16 18:18:02 +02:00
Valentin Brandl
3696bcade2 Change parameter order 2024-08-16 18:17:44 +02:00
Valentin Brandl
dea401fec0 Add title
All checks were successful
/ Misc Linters (push) Successful in 22s
Details
/ Build App (push) Successful in 50s
Details
2024-08-16 18:08:49 +02:00
Valentin Brandl
66494c6760 Fix tests
All checks were successful
Publish / lints (push) Successful in 25s
Details
/ Misc Linters (push) Successful in 28s
Details
/ Build App (push) Successful in 1m3s
Details
Publish / tests (push) Successful in 50s
Details
Publish / Publishing (push) Successful in 1m7s
Details
2024-08-16 16:39:44 +02:00
Valentin Brandl
05320916b2 0.0.4
Some checks failed
/ Misc Linters (push) Successful in 24s
Details
/ Build App (push) Failing after 29s
Details
Publish / lints (push) Successful in 22s
Details
Publish / tests (push) Failing after 27s
Details
Publish / Publishing (push) Has been skipped
Details
2024-08-16 16:37:24 +02:00
Valentin Brandl
e6857f5b5d 0.0.2 2024-08-16 16:36:51 +02:00
Valentin Brandl
5dba5471d1 Reject illegal names 2024-08-16 16:34:43 +02:00
Valentin Brandl
f1ff9f1c38 Update flake.lock 2024-08-16 16:34:26 +02:00
Valentin Brandl
7386a29ec5 flake.lock: Update
Some checks failed
/ Misc Linters (push) Successful in 25s
Details
/ Build App (push) Failing after 24s
Details 
Flake lock file updates:

• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/693bc46d169f5af9c992095736e82c3488bf7dbb' (2024-07-14)
  → 'github:nixos/nixpkgs/c3aa7b8938b17aebd2deecf7be0636000d62a2b9' (2024-08-14)
 2024-08-16 15:53:10 +02:00
Valentin Brandl
88b158b7b4 Lint before publish
All checks were successful
/ Misc Linters (push) Successful in 27s
Details
/ Build App (push) Successful in 59s
Details
2024-08-16 15:10:18 +02:00
8 changed files with 45 additions and 11 deletions
Expand all files Collapse all files

3
.gitea/workflows/publish.yml
View File

@ -6,6 +6,9 @@ on:
- 'v*' - 'v*'
jobs: jobs:
lints:
uses: ./.gitea/workflows/lints.yml
tests: tests:
uses: ./.gitea/workflows/node.yml uses: ./.gitea/workflows/node.yml

6
flake.lock generated
View File

@ -20,11 +20,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1720957393, "lastModified": 1723637854,
"narHash": "sha256-oedh2RwpjEa+TNxhg5Je9Ch6d3W1NKi7DbRO1ziHemA=", "narHash": "sha256-med8+5DSWa2UnOqtdICndjDAEjxr5D7zaIiK4pn0Q7c=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "693bc46d169f5af9c992095736e82c3488bf7dbb", "rev": "c3aa7b8938b17aebd2deecf7be0636000d62a2b9",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
package-lock.json generated
View File

@ -1,12 +1,12 @@
{ {
"name": "fotochallenge", "name": "fotochallenge",
"version": "0.0.1", "version": "0.0.5",
"lockfileVersion": 3, "lockfileVersion": 3,
"requires": true, "requires": true,
"packages": { "packages": {
"": { "": {
"name": "fotochallenge", "name": "fotochallenge",
"version": "0.0.1", "version": "0.0.5",
"devDependencies": { "devDependencies": {
"@sveltejs/adapter-auto": "^3.0.0", "@sveltejs/adapter-auto": "^3.0.0",
"@sveltejs/adapter-node": "^5.2.0", "@sveltejs/adapter-node": "^5.2.0",

2
package.json
View File

@ -1,6 +1,6 @@
{ {
"name": "fotochallenge", "name": "fotochallenge",
"version": "0.0.1", "version": "0.0.5",
"private": true, "private": true,
"scripts": { "scripts": {
"dev": "vite dev", "dev": "vite dev",

1
src/app.html
View File

@ -4,6 +4,7 @@
<meta charset="utf-8" /> <meta charset="utf-8" />
<link rel="icon" href="%sveltekit.assets%/favicon.png" /> <link rel="icon" href="%sveltekit.assets%/favicon.png" />
<meta name="viewport" content="width=device-width, initial-scale=1" /> <meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Gabi und Hannes Fotochallenge</title>
%sveltekit.head% %sveltekit.head%
</head> </head>
<body data-sveltekit-preload-data="hover"> <body data-sveltekit-preload-data="hover">

16
src/index.test.ts
View File

@ -2,7 +2,19 @@ import safePath from '$lib';
import { describe, it, expect } from 'vitest'; import { describe, it, expect } from 'vitest';
describe('safe path', () => { describe('safe path', () => {
it('removes non alphanum from string', () => { it('reject names with ../', () => {
expect(safePath('../../!=-.,/abc123')).toBe('abc123'); expect(safePath('./uplodas', '../foobar')).toBe(false);
});
it('accept names with ./', () => {
expect(safePath('./uplodas', './foobar')).toBe(true);
});
it('reject names with /', () => {
expect(safePath('./uplodas', 'foo/bar')).toBe(false);
});
it('accept happy path', () => {
expect(safePath('./uplodas', 'foobar')).toBe(true);
}); });
}); });

17
src/lib/index.ts
View File

@ -1,10 +1,23 @@
// place files you want to import through the `$lib` alias in this folder. // place files you want to import through the `$lib` alias in this folder.
import path from 'path';
const safePath = (input: string) => input.replace(/\W/g, ''); function safePath(basePath: string, name: string): boolean {
const fullPath = `${basePath}/${name}`;
const relative = path.relative(basePath, fullPath);
return (
!!relative &&
// does move out of `basePath`
!relative.startsWith('..') &&
// exactly one layer deep, e.g. no `./uplodas/foo/bar`
!relative.includes('/') &&
// result is not an absolute path
!path.isAbsolute(relative)
);
}
const defaultPath: string = './uploads'; const defaultPath: string = './uploads';
if (!('STORAGE_PATH' in process.env)) { if (!('STORAGE_PATH' in process.env)) {
console.log(`'STORAGE_PATH' environment variable is not set. Defaulting to ${defaultPath}`); console.warn(`'STORAGE_PATH' environment variable is not set. Defaulting to ${defaultPath}`);
} }
export const storagePath: string = process.env.STORAGE_PATH ?? defaultPath; export const storagePath: string = process.env.STORAGE_PATH ?? defaultPath;

7
src/routes/+page.server.ts
View File

@ -34,7 +34,12 @@ export const actions = {
return fail(400, { field: 'name', name: formName, incorrect: true }); return fail(400, { field: 'name', name: formName, incorrect: true });
} }
const name = safePath(formName as string); const name = formName as string;
if (!safePath(storagePath, name)) {
return fail(400, { field: 'name', name: name, incorrect: true });
}
// const name = safePath(formName as string);
files.forEach(async (file) => { files.forEach(async (file) => {
const outPath = `${storagePath}/${name}`; const outPath = `${storagePath}/${name}`;