sanitize path in latest vod download

related to #470
MrBrax · Nov 7, 2023 · 19e764c · 19e764c
1 parent 34f520e
commit 19e764c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 5 deletions.
diff --git a/server/src/Controllers/Channels.ts b/server/src/Controllers/Channels.ts
@@ -15,6 +15,7 @@ import { YouTubeVOD } from "@/Core/Providers/YouTube/YouTubeVOD";
 import { Webhook } from "@/Core/Webhook";
 import { debugLog } from "@/Helpers/Console";
 import {
+    sanitizePath,
     validateAbsolutePath,
     validateFilename,
     validateRelativePath,
@@ -672,7 +673,7 @@ export async function DownloadVideo(
         }
 
         const variables: VodBasenameTemplate = {
-            login: channel.internalName || "",
+            // login: channel.internalName || "",
             internalName: channel.internalName,
             displayName: channel.displayName,
             date: video.created_at?.replaceAll(":", "_"),
@@ -782,9 +783,8 @@ export async function DownloadVideo(
         }
 
         // make folder name
-        const basefolder = path.join(
-            channel.getFolder(),
-            basefolderPathTemplate
+        const basefolder = sanitizePath(
+            path.join(channel.getFolder(), basefolderPathTemplate)
         );
 
         if (!validateAbsolutePath(basefolder)) {

diff --git a/server/src/Core/Providers/Twitch/TwitchChannel.ts b/server/src/Core/Providers/Twitch/TwitchChannel.ts
@@ -1,3 +1,4 @@
+import { sanitizePath } from "@/Helpers/Filesystem";
 import { imageThumbnail } from "@/Helpers/Image";
 import type { ApiTwitchChannel } from "@common/Api/Client";
 import type { TwitchChannelConfig, VideoQuality } from "@common/Config";
@@ -1266,7 +1267,9 @@ export class TwitchChannel extends BaseChannel {
                 )
             );
 
-            basepath = path.join(channel_basepath, vod_folder_base);
+            basepath = sanitizePath(
+                path.join(channel_basepath, vod_folder_base)
+            );
         } else {
             basepath = channel_basepath;
         }

diff --git a/server/src/Helpers/Filesystem.ts b/server/src/Helpers/Filesystem.ts
@@ -70,3 +70,12 @@ export function validateRelativePath(dir: string): boolean {
 export function validateFilename(filename: string): boolean {
     return !/[\\/:*?"<>|\0]/.test(filename);
 }
+
+/**
+ * Replaces any invalid characters in a file path with an underscore. Does not prevent directory traversal.
+ * @param dir - The file path to sanitize.
+ * @returns The sanitized file path.
+ */
+export function sanitizePath(dir: string): string {
+    return dir.replace(/[:*?"<>|\0]/g, "_");
+}