brendan/nanodrop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Code review fixes, Docker, and deployment config

Browse Source 
- Fix tsconfig: switch to ESNext/Bundler module resolution (tsx compatible)
- Sanitize file extensions against path traversal (^.[a-zA-Z0-9]+$ only)
- Sanitize Content-Disposition filename to prevent header injection
- Extract tokenCookieOptions helper to eliminate duplication across auth handlers
- Remove unused baseUrl param from fileListPage
- Add Dockerfile (multi-stage build with alpine + native tools for bcrypt)
- Add docker-compose.yml with named volume for data persistence
- Add .env.example with all environment variables documented

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Brendan Chen
2026-03-03 15:58:39 -08:00
parent 8fd1464b9d
commit 6d8fb9105d
9 changed files with 81 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/routes/api/v1/files.ts
View File

@@ -34,7 +34,8 @@ export const filesApiRoutes: FastifyPluginAsync<{ deps: Deps }> = async (app, {
const fileBuffer = await data.toBuffer();
const id = nanoid();
const ext = extname(data.filename);
const rawExt = extname(data.filename);
const ext = /^\.[a-zA-Z0-9]+$/.test(rawExt) ? rawExt : '';
const storedName = `${id}${ext}`;
await saveFile(config.uploadDir, storedName, fileBuffer);