fix: only allow absolute paths

immich-app · Oct 21, 2024 · 1fd055e · 1fd055e
1 parent 45517ab
commit 1fd055e
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 0 deletions.
diff --git a/e2e/src/api/specs/library.e2e-spec.ts b/e2e/src/api/specs/library.e2e-spec.ts
@@ -633,6 +633,29 @@ describe('/libraries', () => {
       });
     });
 
+    it("should fail if path isn't absolute", async () => {
+      const pathToTest = `relative/path`;
+
+      const cwd = process.cwd();
+      // Create directory in cwd
+      utils.createDirectory(`${cwd}/${pathToTest}`);
+
+      const response = await utils.validateLibrary(admin.accessToken, library.id, {
+        importPaths: [pathToTest],
+      });
+
+      utils.removeDirectory(`${cwd}/${pathToTest}`);
+
+      expect(response.importPaths?.length).toEqual(1);
+      const pathResponse = response?.importPaths?.at(0);
+
+      expect(pathResponse).toEqual({
+        importPath: pathToTest,
+        isValid: false,
+        message: expect.stringMatching('Import path must be absolute, try /usr/src/app/relative/path'),
+      });
+    });
+
     it('should fail if path is a file', async () => {
       const pathToTest = `${testAssetDirInternal}/albums/nature/el_torcal_rocks.jpg`;
 

diff --git a/server/src/cores/storage.core.ts b/server/src/cores/storage.core.ts
@@ -105,6 +105,14 @@ export class StorageCore {
     return originalPath.startsWith(StorageCore.getBaseFolder(StorageFolder.ENCODED_VIDEO));
   }
 
+  static isAbsolutePath(path: string) {
+    if (!path.startsWith('/')) {
+      return false;
+    }
+
+    return path === resolve(path);
+  }
+
   static isImmichPath(path: string) {
     const resolvedPath = resolve(path);
     const resolvedAppMediaLocation = resolve(APP_MEDIA_LOCATION);

diff --git a/server/src/services/library.service.ts b/server/src/services/library.service.ts
@@ -263,6 +263,11 @@ export class LibraryService extends BaseService {
     const validation = new ValidateLibraryImportPathResponseDto();
     validation.importPath = importPath;
 
+    if (!StorageCore.isAbsolutePath(importPath)) {
+      validation.message = `Import path must be absolute, try ${path.resolve(importPath)}`;
+      return validation;
+    }
+
     if (StorageCore.isImmichPath(importPath)) {
       validation.message = 'Cannot use media upload folder for external libraries';
       return validation;