fix: sanitize log file names in the api

Sanitize log file names to prevent directory traversal.
SignalK · Jun 25, 2024 · e937e58 · e937e58
1 parent d57209b
commit e937e58
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/interfaces/logfiles.js b/src/interfaces/logfiles.js
@@ -42,8 +42,9 @@ function mountApi(app) {
     })
   })
   app.get(`${SERVERROUTESPREFIX}/logfiles/:filename`, function (req, res) {
+    const sanitizedFilename = req.params.filename.replaceAll(/\.\.(\\|\/)/g, '')
     const sanitizedLogfile = path
-      .join(getFullLogDir(app), req.params.filename)
+      .join(getFullLogDir(app), sanitizedFilename)
       .replace(/\.\./g, '')
     res.sendFile(sanitizedLogfile)
   })