krisolo/boss
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: harden attachment access and file paths

Browse Source
This commit is contained in:
kris
2026-03-29 15:47:07 +08:00
parent aa75506364
commit de23a6e921
5 changed files with 370 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
src/app/api/v1/attachments/[attachmentId]/download/route.ts
View File

@@ -3,7 +3,8 @@ import { stat } from "node:fs/promises";
import { Readable } from "node:stream";
import { NextRequest, NextResponse } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { getAttachmentById } from "@/lib/boss-data";
import { canSessionAccessAttachmentProject } from "@/lib/boss-attachment-access";
import { getAttachmentById, readState } from "@/lib/boss-data";
import { buildAttachmentDownloadHeaders } from "@/lib/boss-attachments";
import { resolveServerFileAttachmentAbsolutePath } from "@/lib/boss-storage-server-file";
@@ -23,6 +24,10 @@ export async function GET(
if (!record) {
return NextResponse.json({ ok: false, message: "ATTACHMENT_NOT_FOUND" }, { status: 404 });
}
const state = await readState();
if (!canSessionAccessAttachmentProject(state, session, record.project)) {
return NextResponse.json({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
if (record.attachment.storageBackend !== "server_file") {
return NextResponse.json(
@@ -31,7 +36,12 @@ export async function GET(
);
}
const absolutePath = resolveServerFileAttachmentAbsolutePath(record.attachment.storagePath);
let absolutePath: string;
try {
absolutePath = resolveServerFileAttachmentAbsolutePath(record.attachment.storagePath);
} catch {
return NextResponse.json({ ok: false, message: "ATTACHMENT_FILE_NOT_FOUND" }, { status: 404 });
}
try {
await stat(absolutePath);
} catch {

4
src/app/api/v1/projects/[projectId]/attachments/route.ts
View File

@@ -1,6 +1,7 @@
import { randomBytes } from "node:crypto";
import { NextRequest, NextResponse } from "next/server";
import { requireRequestSession } from "@/lib/boss-auth";
import { canSessionAccessAttachmentProject } from "@/lib/boss-attachment-access";
import {
appendAttachmentMessage,
getAttachmentStorageConfig,
@@ -31,6 +32,9 @@ export async function POST(
if (!project) {
return NextResponse.json({ ok: false, message: "PROJECT_NOT_FOUND" }, { status: 404 });
}
if (!canSessionAccessAttachmentProject(state, session, project)) {
return NextResponse.json({ ok: false, message: "FORBIDDEN" }, { status: 403 });
}
const form = await request.formData();
const file = form.get("file");