diff --git a/backend/src/v1/middlewares/storage/upload.spec.ts b/backend/src/v1/middlewares/storage/upload.spec.ts index 3be9a2127..b83cf6074 100644 --- a/backend/src/v1/middlewares/storage/upload.spec.ts +++ b/backend/src/v1/middlewares/storage/upload.spec.ts @@ -10,11 +10,13 @@ jest.mock('@aws-sdk/client-s3', () => ({ })), })); +const realpathSyncMock = jest.fn(); jest.mock('fs', () => ({ __esModule: true, ...jest.requireActual('fs'), default: { createReadStream: jest.fn(), + realpathSync: (...args) => realpathSyncMock(...args), }, })); @@ -41,6 +43,8 @@ describe('upload', () => { }, }; + realpathSyncMock.mockReturnValue(path.join(os.tmpdir(), 'test.jpg')); + const res = { status: jest.fn().mockReturnThis(), json: jest.fn(), @@ -83,7 +87,6 @@ describe('upload', () => { }; await useUpload({ folder: 'app' })(req, res, jest.fn()); expect(res.status).toHaveBeenCalledWith(400); - }); }); @@ -100,6 +103,7 @@ describe('upload', () => { }, }; + realpathSyncMock.mockReturnValue(path.join(os.tmpdir(), 'test.jpg')); const res = { status: jest.fn().mockReturnThis(), json: jest.fn(), diff --git a/backend/src/v1/middlewares/storage/upload.ts b/backend/src/v1/middlewares/storage/upload.ts index c6f7e26d5..4aa7a0fe5 100644 --- a/backend/src/v1/middlewares/storage/upload.ts +++ b/backend/src/v1/middlewares/storage/upload.ts @@ -8,7 +8,7 @@ import { import os from 'os'; import retry from 'async-retry'; import { S3_BUCKET, S3_OPTIONS } from '../../../constants/admin'; - +import PATH from 'path'; interface Options { folder: string; @@ -31,6 +31,13 @@ export const useUpload = (options: Options) => { try { const s3 = new S3Client(S3_OPTIONS); + const filePath = fs.realpathSync(PATH.resolve(os.tmpdir(), path)); + if (!filePath.startsWith(os.tmpdir())) { + logger.error('File path is not starting with temp directory.'); + res.statusCode = 403; + res.end(); + return; + } const stream = fs.createReadStream(path); const uploadParams: PutObjectCommandInput = { Bucket: S3_BUCKET,