feat: Validate scan link format and update file path handling

2025-07-18 18:40:52 -04:00
parent ebf42e073a
commit 5ad3c1058b
2 changed files with 12 additions and 2 deletions
--- a/client/eslint.config.ts
+++ b/client/eslint.config.ts
@ -21,10 +21,15 @@ export default defineConfigWithVueTs(

  pluginVue.configs['flat/essential'],
  vueTsConfigs.recommended,
-  
+
  {
    ...pluginVitest.configs.recommended,
    files: ['src/**/__tests__/*'],
  },
  skipFormatting,
+  {
+    rules: {
+      '@typescript-eslint/no-explicit-any': 'off',
+    },
+  }
 )
--- a/server/app.js
+++ b/server/app.js
@ -116,7 +116,12 @@ app.get('/api/music-scans/download/:id', AuthHandler, async (req, res) => {
  else if (queryResult.length > 1) res.status(500).json({ message: 'Multiple scans found with the same ID' });
  else {
    const scan = queryResult[0];
-    const filePath = path.join(UPLOAD_FOLDER, scan.link);
+    if (!scan.link || !scan.link.endsWith('.pdf')) {
+      res.status(400).json({ message: 'Invalid scan link' });
+      return;
+    }
+    const link = path.join(...(scan.link.split('\\')));
+    const filePath = path.join(UPLOAD_FOLDER, link);
    res.download(filePath, scan.name + '.pdf');
  }
 });