feat(server): sanitized path for asset creation process to avoid security risk (#717)

* feat(server): sanitized path for asset creation process to avoid security risk * Sanitize resize path
2025-11-14 04:42:42 +09:00 · 2022-09-18 15:16:53 -05:00
parent ece94f6bdc
commit e3ccc3ee6b
5 changed files with 323 additions and 842 deletions
--- a/server/apps/microservices/src/processors/thumbnail.processor.ts
+++ b/server/apps/microservices/src/processors/thumbnail.processor.ts
@@ -1,3 +1,4 @@
+import { APP_UPLOAD_LOCATION } from '@app/common';
 import { ImmichLogLevel } from '@app/common/constants/log-level.constant';
 import { AssetEntity, AssetType } from '@app/database/entities/asset.entity';
 import {
@@ -19,9 +20,11 @@ import { Job, Queue } from 'bull';
 import ffmpeg from 'fluent-ffmpeg';
 import { randomUUID } from 'node:crypto';
 import { existsSync, mkdirSync } from 'node:fs';
+import sanitize from 'sanitize-filename';
 import sharp from 'sharp';
 import { Repository } from 'typeorm/repository/Repository';
-import { CommunicationGateway } from '../../../immich/src/api-v1/communication/communication.gateway';
+import { join } from 'path';
+import { CommunicationGateway } from 'apps/immich/src/api-v1/communication/communication.gateway';

@Processor(thumbnailGeneratorQueueName)
 export class ThumbnailGeneratorProcessor {
@@ -46,9 +49,12 @@ export class ThumbnailGeneratorProcessor {

  @Process({ name: generateJPEGThumbnailProcessorName, concurrency: 3 })
  async generateJPEGThumbnail(job: Job<JpegGeneratorProcessor>) {
-    const { asset } = job.data;
+    const basePath = APP_UPLOAD_LOCATION;

-    const resizePath = `upload/${asset.userId}/thumb/${asset.deviceId}/`;
+    const { asset } = job.data;
+    const sanitizedDeviceId = sanitize(asset.deviceId);
+
+    const resizePath = join(basePath, asset.userId, 'thumb', sanitizedDeviceId);

    if (!existsSync(resizePath)) {
      mkdirSync(resizePath, { recursive: true });