codeql
This commit is contained in:
acalcutt
parent
d4aaa6268e
commit
afa59521fa
2 changed files with 31 additions and 17 deletions
|
|
@ -122,8 +122,9 @@ export const serve_style = {
|
|||
);
|
||||
return res.sendStatus(404);
|
||||
}
|
||||
const spriteScale = allowedSpriteScales(scale);
|
||||
|
||||
const sprite = item.spritePaths.find((sprite) => sprite.id === spriteID);
|
||||
const spriteScale = allowedSpriteScales(scale);
|
||||
if (!sprite || spriteScale === null) {
|
||||
if (verbose)
|
||||
console.error(
|
||||
|
|
@ -136,7 +137,9 @@ export const serve_style = {
|
|||
return res.status(400).send('Bad Sprite ID or Scale');
|
||||
}
|
||||
|
||||
const filename = `${sprite.path}${spriteScale}.${validatedFormat}`;
|
||||
const sanitizedSpritePath = sprite.path.replace(/^(\.\.\/)+/, '');
|
||||
|
||||
const filename = `${sanitizedSpritePath}${spriteScale}.${validatedFormat}`;
|
||||
if (verbose) console.log(`Loading sprite from: %s`, filename);
|
||||
|
||||
// eslint-disable-next-line security/detect-non-literal-fs-filename
|
||||
|
|
@ -151,9 +154,9 @@ export const serve_style = {
|
|||
return res.sendStatus(404);
|
||||
}
|
||||
|
||||
if (format === 'json') {
|
||||
if (validatedFormat === 'json') {
|
||||
res.header('Content-type', 'application/json');
|
||||
} else if (format === 'png') {
|
||||
} else if (validatedFormat === 'png') {
|
||||
res.header('Content-type', 'image/png');
|
||||
}
|
||||
if (verbose)
|
||||
|
|
|
|||
37
src/utils.js
37
src/utils.js
|
|
@ -196,19 +196,29 @@ export function fixTileJSONCenter(tileJSON) {
|
|||
*/
|
||||
function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
|
||||
return new Promise((resolve, reject) => {
|
||||
const fontMatch = name?.match(/^[\w\s-]+$/);
|
||||
if (!name || typeof name !== 'string' || name.trim() === '' || !fontMatch) {
|
||||
console.error('ERROR: Invalid font name: %s', 'invalid');
|
||||
return reject('Invalid font name');
|
||||
}
|
||||
const sanitizedName = fontMatch[0];
|
||||
const filename = path.join(fontPath, sanitizedName, `${range}.pbf`);
|
||||
|
||||
if (!/^\d+-\d+$/.test(range)) {
|
||||
console.error('ERROR: Invalid range: %s', range);
|
||||
return reject('Invalid range');
|
||||
}
|
||||
if (!allowedFonts || (allowedFonts[name] && fallbacks)) {
|
||||
const fontMatch = name?.match(/^[\w\s-]+$/);
|
||||
if (
|
||||
!name ||
|
||||
typeof name !== 'string' ||
|
||||
name.trim() === '' ||
|
||||
!fontMatch
|
||||
) {
|
||||
console.error('ERROR: Invalid font name: %s', 'invalid');
|
||||
return reject('Invalid font name');
|
||||
}
|
||||
const sanitizedName = fontMatch[0];
|
||||
console.error('ERROR: Invalid font name: %s', sanitizedName);
|
||||
if (!/^\d+-\d+$/.test(range)) {
|
||||
console.error('ERROR: Invalid range: %s', range);
|
||||
return reject('Invalid range');
|
||||
}
|
||||
const sanitizedFontPath = fontPath.replace(/^(\.\.\/)+/, '');
|
||||
const filename = path.join(
|
||||
sanitizedFontPath,
|
||||
sanitizedName,
|
||||
`${range}.pbf`,
|
||||
);
|
||||
if (!fallbacks) {
|
||||
fallbacks = clone(allowedFonts || {});
|
||||
}
|
||||
|
|
@ -224,7 +234,7 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
|
|||
if (fallbacks && Object.keys(fallbacks).length) {
|
||||
let fallbackName;
|
||||
|
||||
let fontStyle = sanitizedName.split(' ').pop();
|
||||
let fontStyle = name.split(' ').pop();
|
||||
if (['Regular', 'Bold', 'Italic'].indexOf(fontStyle) < 0) {
|
||||
fontStyle = 'Regular';
|
||||
}
|
||||
|
|
@ -235,6 +245,7 @@ function getFontPbf(allowedFonts, fontPath, name, range, fallbacks) {
|
|||
fallbackName = Object.keys(fallbacks)[0];
|
||||
}
|
||||
}
|
||||
|
||||
console.error(
|
||||
`ERROR: Trying to use %s as a fallback for: %s`,
|
||||
fallbackName,
|
||||
|
|
|
|||
Loading…
Reference in a new issue