Merge pull request #1790 from galaxian85/bugfix/pandoc-security-issue

jackycute · web-flow · commit b09a4729cc8c · 2023-03-09T12:06:18.000+08:00
diff --git a/lib/note/noteActions.js b/lib/note/noteActions.js
@@ -132,14 +132,17 @@ async function actionPandoc (req, res, note) {
   var path = config.tmpPath + '/' + Date.now()
   content = content.replace(/\]\(\//g, '](' + url + '/')
 
-  // TODO: check export type
   const { exportType } = req.query
+  const contentType = outputFormats[exportType]
 
   try {
     // TODO: timeout rejection
+    if (!contentType) {
+      return res.sendStatus(400)
+    }
 
     await pandoc.convertToFile(content, 'markdown', exportType, path, [
-      '--metadata', `title=${title}`
+      '--metadata', `title=${title}`, '--sandbox'
     ])
 
     var stream = fs.createReadStream(path)
@@ -149,7 +152,7 @@ async function actionPandoc (req, res, note) {
     // Ideally this should strip them
     res.setHeader('Content-disposition', `attachment; filename="${filename}.${exportType}"`)
     res.setHeader('Cache-Control', 'private')
-    res.setHeader('Content-Type', `${outputFormats[exportType]}; charset=UTF-8`)
+    res.setHeader('Content-Type', `${contentType}; charset=UTF-8`)
     res.setHeader('X-Robots-Tag', 'noindex, nofollow') // prevent crawling
     stream.pipe(res)
   } catch (err) {
