fix: check if folder exists when uploading files in acp

2026-01-10 17:42:52 +01:00 · 2025-03-10 16:49:40 -04:00
parent 6d74ee2f59
commit 76896859fa
2 changed files with 14 additions and 0 deletions
--- a/src/controllers/admin/uploads.js
+++ b/src/controllers/admin/uploads.js
@@ -244,6 +244,9 @@ uploadsController.uploadFile = async function (req, res, next) {
 		return next(new Error('[[error:invalid-json]]'));
 	}

+	if (!await file.exists(path.join(nconf.get('upload_path'), params.folder))) {
+		return next(new Error('[[error:invalid-path]]'));
+	}
 	try {
 		const data = await file.saveFileToLocal(uploadedFile.name, params.folder, uploadedFile.path);
 		res.json([{ url: data.url }]);
--- a/test/uploads.js
+++ b/test/uploads.js
@@ -400,6 +400,17 @@ describe('Upload Controllers', () => {
 			assert.strictEqual(body.error, '[[error:invalid-path]]');
 		});

+		it('should fail to upload regular file if directory does not exist', async () => {
+			const { response, body } = await helpers.uploadFile(`${nconf.get('url')}/api/admin/upload/file`, path.join(__dirname, '../test/files/test.png'), {
+				params: JSON.stringify({
+					folder: 'does-not-exist',
+				}),
+			}, jar, csrf_token);
+
+			assert.equal(response.statusCode, 500);
+			assert.strictEqual(body.error, '[[error:invalid-path]]');
+		});
+
 		describe('ACP uploads screen', () => {
 			it('should create a folder', async () => {
 				const { response } = await helpers.createFolder('', 'myfolder', jar, csrf_token);