Merge pull request #51 from janjaali/sec

Sanitize filenames
janjaali · Apr 10, 2023 · dec9b74 · dec9b74
2 parents 5139a3d + c6f0fd5
commit dec9b74
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 8 deletions.
diff --git a/README.md b/README.md
@@ -38,7 +38,7 @@ SendGrid-Mock serves as a simple server mocking the sendgrid-apis for developmen
 The SendGrid-Mock server and the UI are both contained in the same docker-image which you can pull from [Docker Hub](https://cloud.docker.com/u/ghashange/repository/docker/ghashange/sendgrid-mock) and start it via:
 
 ```shell
-docker run -it -p 3000:3000 -e "API_KEY=sendgrid-api-key" ghashange/sendgrid-mock:1.8.0
+docker run -it -p 3000:3000 -e "API_KEY=sendgrid-api-key" ghashange/sendgrid-mock:1.8.1
 ```
 
 Some prepared HTTP calls can be found [here](./http-calls).
@@ -50,7 +50,7 @@ The UI can be accessed at <http://localhost:3000>.
 SendGrid-Mock also supports SSL using [Let's Encrypt](https://letsencrypt.org/). To enable SSL, run it as follows:
 
 ```shell
-docker run -it -p 3000:3000 -e "API_KEY=sendgrid-api-key" -e "CERT_DOMAINNAMES=[your-domain-name]" -e "CERT_EMAIL=[your-email-address]" ghashange/sendgrid-mock:1.8.0
+docker run -it -p 3000:3000 -e "API_KEY=sendgrid-api-key" -e "CERT_DOMAINNAMES=[your-domain-name]" -e "CERT_EMAIL=[your-email-address]" ghashange/sendgrid-mock:1.8.1
 ```
 
 ## Development
@@ -63,7 +63,7 @@ The UI can be accessed at <http://localhost:3000>.
 
 ### Build
 
-Create docker image with `docker build -t ghashange/sendgrid-mock:1.8.0 .`.
+Create docker image with `docker build -t ghashange/sendgrid-mock:1.8.1 .`.
 
 ### Release
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "sendgrid-mock",
-  "version": "1.8.0-SNAPSHOT",
+  "version": "1.8.1",
   "description": "SendGrid API mock",
   "engines": {
     "node": ">=16",
@@ -34,7 +34,8 @@
     "log4js": "^6.4.0",
     "react": "^16.7.0",
     "react-dom": "^16.7.0",
-    "react-table": "^6.9.0"
+    "react-table": "^6.9.0",
+    "sanitize-filename": "^1.6.3"
   },
   "devDependencies": {
     "babel-eslint": "^10.0.2",

diff --git a/src/server/ssl/index.js b/src/server/ssl/index.js
@@ -5,6 +5,7 @@ const https = require('https');
 const { loggerFactory } = require('../logger/log4js');
 const path = require('path');
 const { spawn } = require('child_process');
+const sanitize = require('sanitize-filename');
 
 /** Binds an existing Express server application with SSL certificate to 
  * provide it via HTTPS using Certbot and Let's Encrypt. This implementation is 
@@ -68,10 +69,12 @@ const asHttpsServer = (expressApp) => {
   const webrootExpressApp = express();
   webrootExpressApp.get('/.well-known/acme-challenge/:fileName', (req, res) => {
 
+    const sanitizedFileName = sanitize(req.params.fileName);
+
     const filePath = path.join(
       '/usr/src/server',
       '.well-known/acme-challenge/',
-      req.params.fileName
+      sanitizedFileName
     );
 
     if (fs.existsSync(filePath)) {

diff --git a/version b/version
@@ -1 +1 @@
-1.8.1-SNAPSHOT-6
+1.8.1