Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Simple Whitelist for File Extensions #122

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alexgurrola wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Simple Whitelist for File Extensions #122

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
68c4058
Add Whitelist
alexgurrola Jan 5, 2017
ffc771a
Add Whitelist for Renaming
alexgurrola Jan 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 43 additions & 11 deletions lib/FtpConnection.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1073,14 +1073,31 @@ FtpConnection.prototype._command_RNFR = function(commandArg) {
FtpConnection.prototype._command_RNTO = function(commandArg) {
var self = this;
var fileto = withCwd(self.cwd, commandArg);
self.fs.rename(pathModule.join(self.root, self.filefrom), pathModule.join(self.root, fileto), function(err) {
if (err) {
self._logIf(LOG.ERROR, 'Error renaming file from ' + self.filefrom + ' to ' + fileto);
self.respond('550 Rename failed' + (err.code === 'ENOENT' ? '; file does not exist' : ''));
} else {
self.respond('250 File renamed successfully');
}
});

// Filter extensions if whitelist available
var whitelist = self.server.options.allowedExtensions;
var accepted = true;
if (whitelist && typeof whitelist === 'object' && Array.isArray(whitelist) && whitelist.length) {
Copy link
Collaborator

@sstur sstur Jan 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Array.isArray(whitelist) && whitelist.length should be sufficient, right?

Copy link
Contributor

@mk-pmb mk-pmb Jan 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, if it's an object and has a length, why check for array-ity?

accepted = false;
whitelist.forEach(function (ext) {
if (fileto.endsWith(ext)) accepted = true;
Copy link
Collaborator

@sstur sstur Jan 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you check what version of Node added support for endsWith since we want to make sure we don't break existing installations..

Copy link
Contributor

@mk-pmb mk-pmb Jan 6, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should allow RegExps too, or Cartesian product will explode for relatively simple stuff like /\.(html?|jpe?g|png|gif|p[pgx]m|txt)(\.((t?g|7)z|zip|tar(\.[g7]z|))|)$/. And that doesn't even yet include rules to allow some parts to be all-uppercase when using tar. ;-)

});
}
if (accepted) {
self.fs.rename(pathModule.join(self.root, self.filefrom), pathModule.join(self.root, fileto), function(err) {
if (err) {
self._logIf(LOG.ERROR, 'Error renaming file from ' + self.filefrom + ' to ' + fileto);
self.respond('550 Rename failed' + (err.code === 'ENOENT' ? '; file does not exist' : ''));
} else {
self.respond('250 File renamed successfully');
}
});
} else {
self.respond("553 Rename failed; file type not allowed", function () {
self._logIf(3, "Disallowed renaming of file from " + self.filefrom + " to " + fileto);
});
}

};

FtpConnection.prototype._command_SIZE = function(commandArg) {
Expand Down Expand Up @@ -1213,9 +1230,24 @@ FtpConnection.prototype._STOR_usingWriteFile = function(filename, flag) {
time: startTime,
});

self.respond('150 Ok to send data', function() {
self._whenDataReady(handleUpload);
});
// Filter extensions if whitelist available
var whitelist = self.server.options.allowedExtensions;
var accepted = true;
if (whitelist && typeof whitelist === 'object' && Array.isArray(whitelist) && whitelist.length) {
accepted = false;
whitelist.forEach(function (ext) {
if (filename.endsWith(ext)) accepted = true;
});
}
Copy link
Collaborator

@sstur sstur Jan 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we're repeating this whitelist checking logic, I think it would make sense to put it in a function so we can do: var accepted = checkWhitelist(self.server.options.allowedExtensions, filename);

Copy link
Contributor

@mk-pmb mk-pmb Jan 6, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also it should be have "extension" in its name because we might add other whitelists in the future.

if (accepted) {
self.respond("150 Ok to send data", function () {
self._whenDataReady(handleUpload);
});
} else {
self.respond("553 Requested file action aborted; file type not allowed", function () {
if (self.dataSocket) self._closeSocket(self.dataSocket);
});
}

function handleUpload() {
self.dataSocket.on('data', dataHandler);
Expand Down