From 5d72fae4f1c8ed42f5e51cf9d1a3b16e854da1af Mon Sep 17 00:00:00 2001
From: Charlie Hsieh <gasbomb_tw@hotmail.com>
Date: Fri, 6 Jan 2023 17:50:32 +0800
Subject: [PATCH] fix: restrict export type and use sandbox to prevent
 potential attack

Signed-off-by: Charlie Hsieh <gasbomb_tw@hotmail.com>
---
 lib/note/noteActions.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/note/noteActions.js b/lib/note/noteActions.js
index 31f7c1f46f..d9c57da21f 100644
--- a/lib/note/noteActions.js
+++ b/lib/note/noteActions.js
@@ -132,14 +132,17 @@ async function actionPandoc (req, res, note) {
   var path = config.tmpPath + '/' + Date.now()
   content = content.replace(/\]\(\//g, '](' + url + '/')
 
-  // TODO: check export type
   const { exportType } = req.query
+  const contentType = outputFormats[exportType]
 
   try {
     // TODO: timeout rejection
+    if (!contentType) {
+      return res.sendStatus(400)
+    }
 
     await pandoc.convertToFile(content, 'markdown', exportType, path, [
-      '--metadata', `title=${title}`
+      '--metadata', `title=${title}`, '--sandbox'
     ])
 
     var stream = fs.createReadStream(path)
@@ -149,7 +152,7 @@ async function actionPandoc (req, res, note) {
     // Ideally this should strip them
     res.setHeader('Content-disposition', `attachment; filename="${filename}.${exportType}"`)
     res.setHeader('Cache-Control', 'private')
-    res.setHeader('Content-Type', `${outputFormats[exportType]}; charset=UTF-8`)
+    res.setHeader('Content-Type', `${contentType}; charset=UTF-8`)
     res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling
     stream.pipe(res)
   } catch (err) {