From 68c405803032a4b8878aa7eb696765fd4e367cb9 Mon Sep 17 00:00:00 2001 From: Alex Gurrola Date: Wed, 4 Jan 2017 17:28:22 -0800 Subject: [PATCH 1/2] Add Whitelist --- lib/FtpConnection.js | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/lib/FtpConnection.js b/lib/FtpConnection.js index 828e1a8..21e7fa7 100644 --- a/lib/FtpConnection.js +++ b/lib/FtpConnection.js @@ -1213,9 +1213,24 @@ FtpConnection.prototype._STOR_usingWriteFile = function(filename, flag) { time: startTime, }); - self.respond('150 Ok to send data', function() { - self._whenDataReady(handleUpload); - }); + // Filter extensions if whitelist available + var whitelist = self.server.options.allowedExtensions; + var accepted = true; + if (whitelist && typeof whitelist === 'object' && Array.isArray(whitelist) && whitelist.length) { + accepted = false; + whitelist.forEach(function (ext) { + if (filename.endsWith(ext)) accepted = true; + }); + } + if (accepted) { + self.respond("150 Ok to send data", function () { + self._whenDataReady(handleUpload); + }); + } else { + self.respond("553 Requested action not taken. File type not allowed.", function () { + if (self.dataSocket) self._closeSocket(self.dataSocket); + }); + } function handleUpload() { self.dataSocket.on('data', dataHandler); From ffc771a2a74ae44d93ac956f382b8a95cda97d67 Mon Sep 17 00:00:00 2001 From: alexgurrola Date: Thu, 5 Jan 2017 22:27:10 -0800 Subject: [PATCH 2/2] Add Whitelist for Renaming --- lib/FtpConnection.js | 35 ++++++++++++++++++++++++++--------- 1 file changed, 26 insertions(+), 9 deletions(-) diff --git a/lib/FtpConnection.js b/lib/FtpConnection.js index 21e7fa7..5bf2915 100644 --- a/lib/FtpConnection.js +++ b/lib/FtpConnection.js @@ -1073,14 +1073,31 @@ FtpConnection.prototype._command_RNFR = function(commandArg) { FtpConnection.prototype._command_RNTO = function(commandArg) { var self = this; var fileto = withCwd(self.cwd, commandArg); - self.fs.rename(pathModule.join(self.root, self.filefrom), pathModule.join(self.root, fileto), function(err) { - if (err) { - self._logIf(LOG.ERROR, 'Error renaming file from ' + self.filefrom + ' to ' + fileto); - self.respond('550 Rename failed' + (err.code === 'ENOENT' ? '; file does not exist' : '')); - } else { - self.respond('250 File renamed successfully'); - } - }); + + // Filter extensions if whitelist available + var whitelist = self.server.options.allowedExtensions; + var accepted = true; + if (whitelist && typeof whitelist === 'object' && Array.isArray(whitelist) && whitelist.length) { + accepted = false; + whitelist.forEach(function (ext) { + if (fileto.endsWith(ext)) accepted = true; + }); + } + if (accepted) { + self.fs.rename(pathModule.join(self.root, self.filefrom), pathModule.join(self.root, fileto), function(err) { + if (err) { + self._logIf(LOG.ERROR, 'Error renaming file from ' + self.filefrom + ' to ' + fileto); + self.respond('550 Rename failed' + (err.code === 'ENOENT' ? '; file does not exist' : '')); + } else { + self.respond('250 File renamed successfully'); + } + }); + } else { + self.respond("553 Rename failed; file type not allowed", function () { + self._logIf(3, "Disallowed renaming of file from " + self.filefrom + " to " + fileto); + }); + } + }; FtpConnection.prototype._command_SIZE = function(commandArg) { @@ -1227,7 +1244,7 @@ FtpConnection.prototype._STOR_usingWriteFile = function(filename, flag) { self._whenDataReady(handleUpload); }); } else { - self.respond("553 Requested action not taken. File type not allowed.", function () { + self.respond("553 Requested file action aborted; file type not allowed", function () { if (self.dataSocket) self._closeSocket(self.dataSocket); }); }