From c6978261c751add0f02d75206c089eeda9ea8ccb Mon Sep 17 00:00:00 2001
From: Loay <loay@users.noreply.github.com>
Date: Tue, 7 Feb 2017 22:21:18 -0500
Subject: [PATCH] Fix path joining/expanding

---
 lib/providers/filesystem/index.js |  4 +++-
 test/fs.test.js                   |  1 -
 test/upload-download.test.js      | 36 +++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/lib/providers/filesystem/index.js b/lib/providers/filesystem/index.js
index 9e6dcbd..251ff61 100644
--- a/lib/providers/filesystem/index.js
+++ b/lib/providers/filesystem/index.js
@@ -40,9 +40,11 @@ function FileSystemProvider(options) {
 }
 
 var namePattern = new RegExp('[^' + path.sep + '/]+');
+// To detect any file/directory containing dotdot paths
+var containsDotDotPaths = /(^|[\\\/])\.\.([\\\/]|$)/;
 
 function validateName(name, cb) {
-  if (!name) {
+  if (!name || containsDotDotPaths.test(name)) {
     cb && process.nextTick(cb.bind(null, new Error(g.f('Invalid name: %s', name))));
     if (!cb) {
       console.error(g.f('{{FileSystemProvider}}: Invalid name: %s', name));
diff --git a/test/fs.test.js b/test/fs.test.js
index a9f8c4b..331756d 100644
--- a/test/fs.test.js
+++ b/test/fs.test.js
@@ -161,4 +161,3 @@ describe('FileSystem based storage provider', function() {
     });
   });
 });
-
diff --git a/test/upload-download.test.js b/test/upload-download.test.js
index 7bc16e6..b11c35d 100644
--- a/test/upload-download.test.js
+++ b/test/upload-download.test.js
@@ -173,6 +173,42 @@ describe('storage service', function() {
       });
   });
 
+  it('fails to upload using dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('/containers/%2e%2e/upload')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
+  it('fails to upload using  dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('%2e%2e/containers/upload')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
+  it('fails to upload using dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('%2e%2e')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
+  it('fails to upload using dotdot file path', function(done) {
+    request('http://localhost:' + app.get('port'))
+      .post('/containers/upload/%2e%2e')
+      .expect(200, function(err, res) {
+        assert(err);
+        done();
+      });
+  });
+
   it('uploads files with renamer', function(done) {
     request('http://localhost:' + app.get('port'))
       .post('/imageContainers/album1/upload')