fix #266: sanitize exported filenames

NUWCDIVNPT · Apr 27, 2021 · 383214e · 383214e
1 parent b5acab8
commit 383214e
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 53 deletions.
diff --git a/api/source/controllers/Asset.js b/api/source/controllers/Asset.js
@@ -310,7 +310,7 @@ module.exports.getChecklistByAssetStig = async function getChecklistByAssetStig
         const j2x = new J2X(defaultOptions)
         let xml = `<?xml version="1.0" encoding="UTF-8"?>\n<!-- STIG Manager ${config.version} -->\n`
         xml += j2x.parse(response.cklJs)
-        writer.writeXml(res, xml, `${response.assetName}-${benchmarkId}-${revisionStr}.ckl`)
+        writer.writeInlineFile(res, xml, `${response.assetName}-${benchmarkId}-${revisionStr}.ckl`, 'application/xml')
       }
     }
     else {
@@ -363,7 +363,7 @@ module.exports.getChecklistByAsset = async function getChecklistByAssetStig (req
     const j2x = new J2X(parseOptions)
     let xml = `<?xml version="1.0" encoding="UTF-8"?>\n<!-- STIG Manager ${config.version} -->\n`
     xml += j2x.parse(cklObject.cklJs)
-    writer.writeXml(res, xml, `${cklObject.assetName}.ckl`)
+    writer.writeInlineFile(res, xml, `${cklObject.assetName}.ckl`, 'application/xml')
   }
   catch (err) {
     if (err.name === 'SmError') {

diff --git a/api/source/controllers/Collection.js b/api/source/controllers/Collection.js
@@ -186,7 +186,7 @@ module.exports.getPoamByCollection = async function getFindingsByCollection (req
       else {
         collectionName = collectionGrant.collection.name
       }
-      writer.writeXlsx( res, xlsx, `POAM-${collectionName}.xlsx`)
+      writer.writeInlineFile( res, xlsx, `POAM-${collectionName}.xlsx`, 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet')
     }
     else {
       throw( writer.respondWithCode ( 403, {message: "User has insufficient privilege to complete this request."} ) )

diff --git a/api/source/controllers/Operation.js b/api/source/controllers/Operation.js
@@ -71,8 +71,7 @@ module.exports.getAppData = async function getAppData (req, res, next) {
             level: 3
         }
       })
-      writer.writeZipFile(res, buffer, 'stig-manager-appdata.json.zip')
-      // writer.writeJsonFile(res, response, 'stig-manager-appdata.json')
+      writer.writeInlineFile(res, buffer, 'stig-manager-appdata.json.zip', 'application/zip')
     }
     else {
       throw( writer.respondWithCode ( 403, {message: `User has insufficient privilege to complete this request.`} ) )

diff --git a/api/source/utils/writer.js b/api/source/utils/writer.js
@@ -55,55 +55,15 @@ var writeJson = exports.writeJson = function(response, arg1, arg2) {
   response.end(payload);
 }
 
-exports.writeZipFile = function(response, buffer, filename) {
-  response.writeHead(200, {
-    'Content-Type': 'application/zip', 
-    'Content-Disposition': `attachment; filename="${filename}"`,
-    'Access-Control-Expose-Headers': 'Content-Disposition'
-  })
-  response.write(buffer)
-  response.end()
-}
-exports.writeJsonFile = function(response, payload, filename) {
-  response.writeHead(200, {
-    'Content-Type': 'application/json', 
-    'Content-Disposition': `attachment; filename="${filename}"`,
-    'Access-Control-Expose-Headers': 'Content-Disposition'
-  })
-  response.write(JSON.stringify(payload))
-  response.end()
-}
-exports.writePdf = function(response, payload, filename) {
-  response.writeHead(200, {
-    'Content-Type': 'application/pdf', 
-    'Content-Disposition': `inline; filename="${filename}"`,
-    'Access-Control-Expose-Headers': 'Content-Disposition'
-  })
-  response.write(payload)
-  response.end()
-}
-exports.writeCsv = function(response, payload, filename) {
-  response.writeHead(200, {
-    'Content-Type': 'text/csv',
-    'Content-Disposition': `inline; filename="${filename}"`,
-    'Access-Control-Expose-Headers': 'Content-Disposition'
-  })
-  response.write(payload)
-  response.end()
-}
-exports.writeXml = function(response, payload, filename) {
-  response.writeHead(200, {
-    'Content-Type': 'application/xml',
-    'Content-Disposition': `inline; filename="${filename}"`,
-    'Access-Control-Expose-Headers': 'Content-Disposition'
-  })
-  response.write(payload)
-  response.end()
-}
-exports.writeXlsx = function(response, payload, filename) {
+const charToHexStr = (c) => `%${c.charCodeAt(0).toString(16).padStart(2, '0')}`
+
+const goodFilename = (string) =>
+  string.replace(/[<>:"/\\|?*\x00-\x1F]| +$/g, charToHexStr)
+
+exports.writeInlineFile = function(response, payload, filename, contentType) {
   response.writeHead(200, {
-    'Content-Type': 'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
-    'Content-Disposition': `inline; filename="${filename}"`,
+    'Content-Type': contentType,
+    'Content-Disposition': `inline; filename="${goodFilename(filename)}"`,
     'Access-Control-Expose-Headers': 'Content-Disposition'
   })
   response.write(payload)